diff --git a/.gitignore b/.gitignore
index d01c764d0..4780aab38 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,3 +69,4 @@ apps/emqx/test/emqx_static_checks_data/master.bpapi
 *.conf.rendered
 lux_logs/
 /.prepare
+bom.json
diff --git a/rebar.config b/rebar.config
index 861046ad9..3d19d2181 100644
--- a/rebar.config
+++ b/rebar.config
@@ -87,4 +87,9 @@
   emqx_exproto_pb % generated code for protobuf
 ]}.
 
-{project_plugins, [erlfmt, {rebar3_hex, "7.0.2"}]}.
+{project_plugins,
+  [ erlfmt,
+    {rebar3_hex, "7.0.2"},
+    {rebar3_sbom,
+      {git, "https://github.com/emqx/rebar3_sbom.git", {tag, "v0.6.1-1"}}}
+]}.
diff --git a/scripts/pre-compile.sh b/scripts/pre-compile.sh
index 0fe99c6b2..56b7d47b4 100755
--- a/scripts/pre-compile.sh
+++ b/scripts/pre-compile.sh
@@ -21,3 +21,4 @@ cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")/.."
 ./scripts/get-dashboard.sh "$dashboard_version"
 ./scripts/merge-config.escript
 ./scripts/merge-i18n.escript
+./scripts/update-bom.sh "$PROFILE_STR" ./rel
diff --git a/scripts/update-bom.sh b/scripts/update-bom.sh
new file mode 100755
index 000000000..20ab45e22
--- /dev/null
+++ b/scripts/update-bom.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+[[ -n "$WITHOUT_UPDATE_BOM" ]] && exit 0
+
+set -euo pipefail
+
+PROFILE="$1"
+REL_DIR="$2"
+
+./rebar3 as "$PROFILE" sbom -f -o "$REL_DIR/bom.json"
+