diff --git a/.claude/settings.json b/.claude/settings.json
new file mode 100644
index 000000000..f292eeaab
--- /dev/null
+++ b/.claude/settings.json
@@ -0,0 +1,5 @@
+{
+  "enabledPlugins": {
+    "dependency-track@skillwire": true
+  }
+}
diff --git a/.github/workflows/production_pipeline.yml b/.github/workflows/production_pipeline.yml
index 45a31167f..6fc1c3b96 100644
--- a/.github/workflows/production_pipeline.yml
+++ b/.github/workflows/production_pipeline.yml
@@ -20,3 +20,14 @@ jobs:
       release_tag: ${{ needs.test.outputs.releasetag }}
     permissions:
       id-token: write
+
+  sbom:
+    name: Upload SBOM
+    needs: [aws_deploy]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/upload-sbom.yml
+    with:
+      projectversion: prod
+    secrets:
+      DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }}
diff --git a/.github/workflows/staging_pipeline.yml b/.github/workflows/staging_pipeline.yml
index a2e777db0..9187142d3 100644
--- a/.github/workflows/staging_pipeline.yml
+++ b/.github/workflows/staging_pipeline.yml
@@ -32,6 +32,15 @@ jobs:
     permissions:
       id-token: write
 
+  sbom:
+    name: Upload SBOM
+    needs: [aws_deploy]
+    uses: ./.github/workflows/upload-sbom.yml
+    with:
+      projectversion: staging
+    secrets:
+      DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }}
+
   performance:
     needs: [aws_deploy]
     runs-on: ubuntu-latest
diff --git a/.github/workflows/upload-sbom.yml b/.github/workflows/upload-sbom.yml
new file mode 100644
index 000000000..f1c02a0ec
--- /dev/null
+++ b/.github/workflows/upload-sbom.yml
@@ -0,0 +1,52 @@
+name: Upload SBOM
+
+# Generates a CycloneDX SBOM with Syft (auto-detects both the Ruby gems in
+# Gemfile.lock and the Node packages in yarn.lock) and uploads it to
+# Dependency-Track. Called from the staging and production pipelines after a
+# successful deploy.
+
+on:
+  workflow_call:
+    inputs:
+      projectversion:
+        required: true
+        type: string
+    secrets:
+      DTRACK_API_KEY:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  sbom:
+    name: Generate and upload SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - run: |
+          echo "SYFT_VERSION=v1.45.0" >> "$GITHUB_ENV"
+          echo "SYFT_SCRIPT_SHA=9673f867e50398b5d25ec97ff051a451c46d262c" >> "$GITHUB_ENV"
+
+      - uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/syft
+          key: syft-${{ env.SYFT_VERSION }}
+
+      - name: Install Syft
+        run: |
+          [ -f /usr/local/bin/syft ] || \
+            curl -sSfL "https://raw.githubusercontent.com/anchore/syft/${SYFT_SCRIPT_SHA}/install.sh" | sh -s -- -b /usr/local/bin "$SYFT_VERSION"
+
+      - run: syft . -o cyclonedx-xml=bom.xml
+
+      - uses: DependencyTrack/gh-upload-sbom@v3
+        with:
+          serverhostname: api-deps.softwire.com
+          apikey: ${{ secrets.DTRACK_API_KEY }}
+          autocreate: true
+          projectname: CORE
+          projectversion: ${{ inputs.projectversion }}
+          parentname: Support
+          bomfilename: bom.xml