diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c4963b3..67967e0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,12 +1,41 @@
 stages:
+  - sbom
   - security-scan
 
-## -------------- Security Pipeline ---------------- ##
 
+## -------------- Security Pipeline ---------------- ##
+sbom-creation:
+  stage: sbom
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "web"
+      when: always
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      when: always
+    - when: never
+  image:
+    name: ${SBOM_IMAGE}
+    entrypoint: ['']
+  script:
+    - yarn config set npmRegistryServer $NPM_REGISTRY
+    - yarn dlx @cyclonedx/yarn-plugin-cyclonedx --output-file sbom.cyclonedx.json
+  artifacts:
+    paths:
+      - sbom.cyclonedx.json
+    expire_in: 1 days
+    
 security-scan:
+  variables:
+    APPSECHUB_PARENT_PIPELINE_ID: $CI_PIPELINE_ID
+    APPSECHUB_SCA_SBOM_GENERATOR: custom
+    APPSECHUB_SBOM_PATH: sbom.cyclonedx.json
+    APPSECHUB_SBOM_MASK: '*bom*.json'
+    CUSTOM_SBOM_GENERATOR_JOB_NAME: sbom-creation
   rules:
-    - if: $CI_COMMIT_REF_NAME =~ /(develop)/
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      when: always
+    - if: $CI_PIPELINE_SOURCE == "web"
       when: always
+    - when: never
   stage: security-scan
   trigger:
     include: