diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml
index 37f3927f..09e1de53 100644
--- a/.github/workflows/pre-release.yaml
+++ b/.github/workflows/pre-release.yaml
@@ -51,6 +51,8 @@ jobs:
           tags: ghcr.io/sozercan/aikit:dev
           cache-from: type=gha,scope=aikit
           cache-to: type=gha,scope=aikit,mode=max
+          sbom: true
+          provenance: true
 
       - name: Sign the images with GitHub OIDC Token
         env:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index af658bd2..99403138 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -60,6 +60,8 @@ jobs:
             ghcr.io/sozercan/aikit:latest
           cache-from: type=gha,scope=aikit
           cache-to: type=gha,scope=aikit,mode=max
+          sbom: true
+          provenance: true
 
       - name: Sign the images with GitHub OIDC Token
         env:
diff --git a/.github/workflows/update-models.yaml b/.github/workflows/update-models.yaml
index a2bfefdb..9c6985c7 100644
--- a/.github/workflows/update-models.yaml
+++ b/.github/workflows/update-models.yaml
@@ -61,6 +61,7 @@ jobs:
           docker buildx build . -t ghcr.io/sozercan/${MODEL_NAME}:${MODEL_SIZE}${MODEL_RUNTIME} \
             -f models/${{ matrix.model }}.yaml \
             --push --progress plain \
+            --sbom=true --provenance=true \
             --cache-from=type=gha,scope=${MODEL_NAME}-${MODEL_SIZE} \
             --cache-to=type=gha,scope=${MODEL_NAME}-${MODEL_SIZE},mode=max
           echo "DIGEST=$(cosign triangulate ghcr.io/sozercan/${MODEL_NAME}:${MODEL_SIZE}${MODEL_RUNTIME} --type digest)" >> $GITHUB_ENV