diff --git a/.cirrus.yaml b/.cirrus.yaml
index 62738303d..734d0a62a 100644
--- a/.cirrus.yaml
+++ b/.cirrus.yaml
@@ -9,7 +9,7 @@ env:
   LOCALAPPDATA: C:\sonar-ci\AppData\Local
   TMP_DIR: C:\sonar-ci\temp
   USERPROFILE: C:\sonar-ci
-  PATH: C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin;C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool;C:\Program Files\DigiCert\DigiCert One Signing Manager Tools;${PATH}
+  PATH: C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin;C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool;C:\Program Files\DigiCert\DigiCert One Signing Manager Tools;C:\sonar-ci\.dotnet\tools;${PATH}
 
 ec2_instance_definition: &INSTANCE_DEFINITION
   region: eu-central-1
@@ -38,9 +38,11 @@ build_task:
     SOLUTION_PATH: SonarLint.VisualStudio.Integration.sln
     SONARSOURCE_SNK_FILE: ${TMP_DIR}\SonarSource.snk
     SONARSOURCE_SNK: VAULT[development/team/languages/kv/data/strong_named_key data.SonarSourceSecret_snk]
+    SIGN_KEY: VAULT[development/kv/data/sign data.key]
+    SIGN_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
   calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
   prepare_signing_script: |
-    if [[ "${CIRRUS_BRANCH}" == "${CIRRUS_DEFAULT_BRANCH}" || "${CIRRUS_BRANCH}" =~ "branch-.*"  || "${CIRRUS_BRANCH}" =~ "sign-.*" ]]; then
+    if [[ "${CIRRUS_BRANCH}" == "${CIRRUS_DEFAULT_BRANCH}" ]] || echo "${CIRRUS_BRANCH}" | grep -qE "^branch-.*" || echo "${CIRRUS_BRANCH}" | grep -qE "^sign-.*"; then
       mkdir -p "${TMP_DIR}"
       echo "${SONARSOURCE_SNK}" | base64 -d > "${SONARSOURCE_SNK_FILE}"
       echo "${SM_CLIENT_CERT_FILE_BASE64}" | base64 -d > "${SM_CLIENT_CERT_FILE}"
@@ -60,10 +62,23 @@ build_task:
     msbuild.exe "${SOLUTION_PATH}" -p:VsVersion=17.0 -p:VsTargetVersion=2022 -p:SignArtifacts=${SHOULD_SIGN} -p:AssemblyOriginatorKeyFile=${SONARSOURCE_SNK_FILE} -p:DeployExtension=false -p:Sha1=${CIRRUS_CHANGE_IN_REPO} -p:BuildNumber=${CI_BUILD_NUMBER}
   sign_artifact_script: |
     if [[ "${SHOULD_SIGN}" == "true" ]]; then
-        nuget sign "binaries/SonarLint.VSIX-${SONAR_PROJECT_VERSION}.${CIRRUS_BUILD_ID}-2022.vsix" -HashAlgorithm SHA256 -CertificateFingerprint ${SM_CERT_FP} -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
+        nuget sign "binaries/SonarLint.VSIX-${SONAR_PROJECT_VERSION}.${CI_BUILD_NUMBER}-2022.vsix" -HashAlgorithm SHA256 -CertificateFingerprint ${SM_CERT_FP} -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
     else
         echo "Artifact not signed"
     fi
+  sbom_generation_script: |
+    if [[ "${SHOULD_SIGN}" == "true" ]]; then
+      sbomname="SonarLint.visualstudio.sbom-$SONAR_PROJECT_VERSION.$CI_BUILD_NUMBER-2022.json"
+      gpg --batch --passphrase "$SIGN_PASSPHRASE" --allow-secret-key-import --import <(echo "$SIGN_KEY")
+      gpg --list-secret-keys
+      dotnet tool install --global CycloneDX
+      dotnet CycloneDX SonarLint.VisualStudio.Integration.sln -t -j -o binaries
+      cd binaries
+      mv bom.json $sbomname
+      gpg --pinentry-mode loopback  --passphrase "SIGN_PASSPHRASE" --armor --detach-sig --default-key infra@sonarsource.com "$sbomname"
+      echo "signed $sbomname"
+      ls -al
+    fi
 
 dogfood_task:
   depends_on: