diff --git a/.github/workflows/generate-and-upload-bom.yml b/.github/workflows/generate-and-upload-bom.yml
new file mode 100644
index 000000000..36fed8cb9
--- /dev/null
+++ b/.github/workflows/generate-and-upload-bom.yml
@@ -0,0 +1,59 @@
+name: 'dhis2: nightly upload to dependency-track'
+
+# This workflow creates bill of material and uploads it to Dependency-Track each night
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+   #schedule:
+   #- cron: '0 0 * * *'
+
+concurrency:
+  group: ${{ github.workflow}}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  create-bom:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        containers: [1, 2, 3, 4]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+
+      - name: Install
+        run: yarn install --frozen-lockfile
+
+      - name: Install CycloneDX CLI
+        run: |
+          curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i -
+          sudo mv cyclonedx-linux-x64 /usr/local/bin/
+          sudo chmod +x /usr/local/bin/cyclonedx-linux-x64
+
+      - name: Generate BOMs
+        run: yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --output-file bom.json
+
+      - name: Upload SBOM to DependencyTrack
+        env:
+          DEPENDENCY_TRACK_API: "https://dt.security.dhis2.org/api/v1/bom"
+        run: |
+          curl -X POST "$DEPENDENCY_TRACK_API" \
+              --fail-with-body \
+              -H "Content-Type: multipart/form-data" \
+              -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
+              -F "project=c0bd0f2d-d512-460a-81f9-e256e4fb1054" \
+              -F "bom=@bom.json"
+