diff --git a/.github/workflows/trust.yaml b/.github/workflows/trust.yaml
new file mode 100644
index 0000000..5c82838
--- /dev/null
+++ b/.github/workflows/trust.yaml
@@ -0,0 +1,36 @@
+name: Vulnerability scanning
+
+# all the branches is fine. This shouldn't run on external PRs though
+on: 
+  pull_request:
+  push:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install rust toolchain
+        run: rustup update stable
+      - name: install go toolchain    
+        uses: actions/setup-go@v3      
+      - name: install dependencies
+        run: | 
+          cargo install cargo-cyclonedx
+          go install github.com/google/osv-scanner/cmd/osv-scanner@v1
+        
+      - name: Build SBOM
+        run: cargo cyclonedx -f json --output-prefix bom
+      - name: Check SBOM against vulnerability database
+        id: scan
+        run: |
+          $HOME/go/bin/osv-scanner --sbom=bom.json > scan.txt
+      - name: Display CVEs analysis result as summary
+        if: failure()
+        run: |
+          echo "#OSV search result" >> $GITHUB_STEP_SUMMARY
+          cat scan.txt >> $GITHUB_STEP_SUMMARY
\ No newline at end of file
diff --git a/Cargo.toml b/Cargo.toml
index fb1a9b7..cb53b68 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,7 +19,7 @@ tokio = { version = "1", features = ["full"] }
 
 anyhow = "1.0"
 thiserror = "1.0"
-reqwest = { version = "0.11", features = ["blocking", "json"] }
+reqwest = { version = "0.11.14", features = ["blocking", "json"] }
 clap = { version = "3.2.22", features = ["cargo", "env"] }
 
 oauth2 = "4.1.0"
@@ -41,7 +41,7 @@ qstring = "0.7.2"
 
 url = { version = "2.2.1",  features = ["serde"] }
 urlencoding = "1.3"
-chrono = { version = "0.4", features = ["serde"]}
+chrono = { version = "0.5.0-alpha.1", features = ["serde"]}
 
 webbrowser = "0.5.5"
 
@@ -52,7 +52,7 @@ tabular = "0.2"
 
 base64 = "0.21.0"
 rcgen = { version  = "0.8.11", features = ["pem", "x509-parser"] }
-x509-parser = "0.9.2"
+x509-parser = "0.14.0"
 json_value_merge = "0.1.2"
 
 rsa = "0.5.0"
@@ -71,3 +71,9 @@ uuid = {version= "1.0", features = ["v4"]}
 [patch.crates-io]
 #drogue-client = { git = "https://github.com/drogue-iot/drogue-client", rev = "3e0fdb91305803c51946f8a818e4f053ab88c2c3" } # FIXME: awaiting release
 #drogue-client = { path = "../drogue-client" }
+
+#SBOM fixes
+chrono = {git = "https://github.com/chronotope/chrono", branch = "main"}
+native-tls = {git = "https://github.com/sfackler/rust-native-tls", branch = "master"}
+oauth2 = {git = "https://github.com/ramosbugs/oauth2-rs", branch = "main"}
+x509-parser = {git = "https://github.com/jbtrystram/x509-parser", branch = "patch-1"}
\ No newline at end of file