diff --git a/dvb/cx23885/pkg.yaml b/dvb/cx23885/pkg.yaml
index b8a2b2b..d7489ad 100644
--- a/dvb/cx23885/pkg.yaml
+++ b/dvb/cx23885/pkg.yaml
@@ -46,6 +46,9 @@ steps:
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/cx23885.spdx.json
+      version: {{ .LINUX_DVB_FIRMWARE }}
     # {{ end }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
 finalize:
   - from: /rootfs
diff --git a/dvb/dvb-m88ds3103/pkg.yaml b/dvb/dvb-m88ds3103/pkg.yaml
index c2c743a..bf773f0 100644
--- a/dvb/dvb-m88ds3103/pkg.yaml
+++ b/dvb/dvb-m88ds3103/pkg.yaml
@@ -33,6 +33,9 @@ steps:
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/dvb-m88ds3103.spdx.json
+      version: {{ .VERSION }}
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/firmware/intel-ucode/pkg.yaml b/firmware/intel-ucode/pkg.yaml
index d1d62a6..930793e 100644
--- a/firmware/intel-ucode/pkg.yaml
+++ b/firmware/intel-ucode/pkg.yaml
@@ -24,6 +24,9 @@ steps:
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/intel-ucode.spdx.json
+      version: {{ .INTEL_UCODE_VERSION }}
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/guest-agents/qemu-guest-agent/pcre2/pkg.yaml b/guest-agents/qemu-guest-agent/pcre2/pkg.yaml
index 35a9381..acc081a 100644
--- a/guest-agents/qemu-guest-agent/pcre2/pkg.yaml
+++ b/guest-agents/qemu-guest-agent/pcre2/pkg.yaml
@@ -23,6 +23,13 @@ steps:
     install:
       - |
         make DESTDIR=/rootfs install
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/pcre2.spdx.json
+      version: {{ .PCRE2_VERSION }}
+      cpes:
+        - cpe:2.3:a:pcre:pcre2:{{ .CONTAINER_TOOLKIT_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - BSD-2-Clause
 finalize:
   - from: /rootfs
     to: /
diff --git a/guest-agents/vmtoolsd-guest-agent/pkg.yaml b/guest-agents/vmtoolsd-guest-agent/pkg.yaml
index 42b0788..ce4fbb8 100644
--- a/guest-agents/vmtoolsd-guest-agent/pkg.yaml
+++ b/guest-agents/vmtoolsd-guest-agent/pkg.yaml
@@ -3,13 +3,18 @@ variant: scratch
 shell: /bin/bash
 dependencies:
   - stage: base
-  - image: {{ .BUILD_ARG_PKGS_PREFIX }}/talos-vmtoolsd:{{ .TALOS_VMTOOLSD_VERSION }}
+  - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/talos-vmtoolsd:{{ .TALOS_VMTOOLSD_VERSION }}"
     from: /
     to: /rootfs
 steps:
   - test:
       - |
         /extensions-validator validate --rootfs=/rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/vmtoolsd-guest-agent.spdx.json
+      version: {{ .TALOS_VMTOOLSD_VERSION }}
+      licenses:
+        - Apache-2.0
 finalize:
   - from: /rootfs
     to: /
diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/libseccomp/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/libseccomp/pkg.yaml
index 9be6f43..83e78ca 100644
--- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/libseccomp/pkg.yaml
+++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/libseccomp/pkg.yaml
@@ -36,6 +36,13 @@ steps:
         make install DESTDIR=/rootfs
          # we only need the libs and headers, remove everything else
         find /rootfs/usr/local/ -type d \( -name bin -o -name sbin -o -name share \) -prune -exec rm -rf {} \;
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/libseccomp.spdx.json
+      version: {{ .LIBSECCOMP_VERSION }}
+      cpes:
+        - cpe:2.3:a:libseccomp_project:libseccomp:{{ .LIBSECCOMP_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - LGPL-2.1
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/lts/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/lts/pkg.yaml
index 962d133..5f7af16 100644
--- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/lts/pkg.yaml
+++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/lts/pkg.yaml
@@ -68,6 +68,13 @@ steps:
 
         # run ldconfig to update the cache
         /rootfs/usr/local/glibc/sbin/ldconfig -r /rootfs
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/nvidia-container-cli.spdx.json
+      version: {{ .LIBNVIDIA_CONTAINER_VERSION }}
+      licenses:
+        - Apache-2.0
+        - GPL-3.0
+        - LGPL-3.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/production/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/production/pkg.yaml
index 6efe9f3..7e2dd28 100644
--- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/production/pkg.yaml
+++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/production/pkg.yaml
@@ -68,6 +68,13 @@ steps:
 
         # run ldconfig to update the cache
         /rootfs/usr/local/glibc/sbin/ldconfig -r /rootfs
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/nvidia-container-cli.spdx.json
+      version: {{ .LIBNVIDIA_CONTAINER_VERSION }}
+      licenses:
+        - Apache-2.0
+        - GPL-3.0
+        - LGPL-3.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml
index 1137b0d..34726d1 100644
--- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml
+++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml
@@ -58,6 +58,13 @@ steps:
 
         mkdir -p /rootfs/usr/local/etc/nvidia-container-runtime
         cp /pkg/nvidia-container-runtime.toml /rootfs/usr/local/etc/nvidia-container-runtime/config.toml
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/nvidia-container-runtime.spdx.json
+      version: {{ .CONTAINER_TOOLKIT_VERSION }}
+      cpes:
+        - cpe:2.3:a:nvidia:nvidia_container_toolkit:{{ .CONTAINER_TOOLKIT_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - Apache-2.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/power/nut-client/pkg.yaml b/power/nut-client/pkg.yaml
index 3f76e74..09c0580 100644
--- a/power/nut-client/pkg.yaml
+++ b/power/nut-client/pkg.yaml
@@ -81,6 +81,12 @@ steps:
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/nut-client.spdx.json
+      version: {{ .NUT_VERSION }}
+      licenses:
+        - GPL-2.0
+        - GPL-3.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/storage/iscsi-tools/open-iscsi/pkg.yaml b/storage/iscsi-tools/open-iscsi/pkg.yaml
index 330c098..c7035f7 100644
--- a/storage/iscsi-tools/open-iscsi/pkg.yaml
+++ b/storage/iscsi-tools/open-iscsi/pkg.yaml
@@ -46,6 +46,13 @@ steps:
         rm -rf /rootfs/etc
         rm -rf /rootfs/usr/local/{etc,share,include,pkgconfig}
         rm -rf /rootfs/var
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/open-iscsi.spdx.json
+      version: {{ .OPEN_ISCSI_VERSION }}
+      cpes:
+        - cpe:2.3:a:open-iscsi_project:open-iscsi:{{ .OPEN_ISCSI_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - GPL-2.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/storage/nfsrahead/libevent/pkg.yaml b/storage/nfsrahead/libevent/pkg.yaml
index 34261c4..d982bba 100644
--- a/storage/nfsrahead/libevent/pkg.yaml
+++ b/storage/nfsrahead/libevent/pkg.yaml
@@ -27,6 +27,13 @@ steps:
         make DESTDIR=/rootfs install
         # we only need the libs and headers, remove everything else
         find /rootfs/usr/local/ -type d \( -name bin -o -name sbin -o -name share \) -prune -exec rm -rf {} \;
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/libevent.spdx.json
+      version: {{ .LIBEVENT_VERSION }}
+      cpes:
+        - cpe:2.3:a:libevent_project:libevent:{{ .LIBEVENT_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - BSD-3-Clause
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/storage/nfsrahead/sqlite/pkg.yaml b/storage/nfsrahead/sqlite/pkg.yaml
index 08b406b..c12e56b 100644
--- a/storage/nfsrahead/sqlite/pkg.yaml
+++ b/storage/nfsrahead/sqlite/pkg.yaml
@@ -27,6 +27,12 @@ steps:
         make DESTDIR=/rootfs install
         # we only need the libs and headers, remove everything else
         find /rootfs/usr/local/ -type d \( -name bin -o -name sbin -o -name share \) -prune -exec rm -rf {} \;
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/sqlite.spdx.json
+      version: {{ .SQLITE_VERSION }}
+      cpes:
+        - cpe:2.3:a:sqlite:sqlite:{{ .SQLITE_VERSION }}:*:*:*:*:*:*:*
+      licenses: [] # explicit empty, sqlite is Public Domain
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/storage/zfs/zfs-tools/pkg.yaml b/storage/zfs/zfs-tools/pkg.yaml
index 7e33bef..1f64858 100644
--- a/storage/zfs/zfs-tools/pkg.yaml
+++ b/storage/zfs/zfs-tools/pkg.yaml
@@ -14,7 +14,7 @@ steps:
         sha256: {{ .ZFS_TOOLS_SHA256 }}
         sha512: {{ .ZFS_TOOLS_SHA512 }}
     env:
-      ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
+      ARCH: '{{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}'
     prepare:
       - |
         tar -xf zfs.tar.gz --strip-components=1
@@ -40,6 +40,13 @@ steps:
         # since talos doesn't have a shell, this would fail
         # the default shipped file is a no-op, so safe to remove.
         rm -f /rootfs/usr/local/libexec/zfs/zfs_prepare_disk
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/zfs-tools.spdx.json
+      version: {{ .ZFS_DRIVER_VERSION }}
+      cpes:
+        - cpe:2.3:a:openzfs:openzfs:{{ .ZFS_DRIVER_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - CDDL-1.0
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/tools/nvme-cli/libnvme/pkg.yaml b/tools/nvme-cli/libnvme/pkg.yaml
index 03c20ac..6a63129 100644
--- a/tools/nvme-cli/libnvme/pkg.yaml
+++ b/tools/nvme-cli/libnvme/pkg.yaml
@@ -30,6 +30,11 @@ steps:
     install:
       - |
         DESTDIR=/rootfs meson install -C .build
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/libnvme.spdx.json
+      version: {{ .LIBNVME_VERSION }}
+      licenses:
+        - LGPL-2.1
 finalize:
   - from: /rootfs
     to: /rootfs
diff --git a/tools/nvme-cli/pkg.yaml b/tools/nvme-cli/pkg.yaml
index 7d8732c..ac857d7 100644
--- a/tools/nvme-cli/pkg.yaml
+++ b/tools/nvme-cli/pkg.yaml
@@ -43,6 +43,11 @@ steps:
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/nvme-cli.spdx.json
+      version: {{ .NVME_CLI_VERSION }}
+      licenses:
+        - GPL-2.0
 finalize:
   - from: /rootfs
     to: /rootfs