diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 4e6c900..b52d962 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,7 +5,7 @@ on:
     tags:
       - 'v*.*.*'
 
-permissions: 
+permissions:
   contents: read
 
 jobs:
@@ -48,6 +48,11 @@ jobs:
           echo ${{steps.tagger.outputs.version}}
           echo ${{steps.tagger.outputs.version-without-v}}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: 'v2.2.2'
+
       - name: Build the OCI Image
         run: docker build -t ghcr.io/${{ steps.lowercase.outputs.name }}:${{ steps.tagger.outputs.version-without-v }} .
         working-directory: .
@@ -56,3 +61,30 @@ jobs:
 
       - name: Push the OCI Image
         run: docker push ghcr.io/${{ steps.lowercase.outputs.name }}:${{ steps.tagger.outputs.version-without-v }}
+
+      - name: Produce Image SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ steps.lowercase.outputs.name }}:${{ steps.tagger.outputs.version-without-v }}
+          artifact-name: ${{ steps.lowercase.outputs.name }}-${{ steps.tagger.outputs.version-without-v }}.spdx.json
+
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      - name: Attest the Image with SBOM
+        run: |
+          echo "${{ env.PATCHED_TAG_SBOM }}"
+          SBOM_FILE=$(find /tmp/sbom-action-* -name "*${{ steps.lowercase.outputs.name }}-${{ steps.tagger.outputs.version-without-v }}.spdx.json*.spdx.json" -type f)
+          echo "${SBOM_FILE}"
+          if [ -z "$SBOM_FILE" ]; then
+            echo "Error: .spdx file not found"
+            exit 1
+          fi
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --type spdx --predicate "${SBOM_FILE}" "ghcr.io/${{ steps.lowercase.outputs.name }}:${{ steps.tagger.outputs.version-without-v }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
diff --git a/.gitignore b/.gitignore
index 36690c9..02e51ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,8 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+
+# Cosign
+
+cosign.key
\ No newline at end of file
diff --git a/cosign/cosign.pub b/cosign/cosign.pub
new file mode 100644
index 0000000..4fdaab6
--- /dev/null
+++ b/cosign/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEefD+XXNrpaElHxFRjhLxGxGAC/8q
+gSOMH30LHqyiVQUO0SiOpjTvIFCNmfkz7ZOtYGIy9otHhrzo32yyYP3k2g==
+-----END PUBLIC KEY-----