diff --git a/Dockerfile b/Dockerfile
index b5dbc268..9e1be6eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,6 +8,8 @@ ARG LINUX_VER=${LINUX_DISTRO}${LINUX_DISTRO_VER}
 ARG MINIFORGE_VER=notset
 ARG PYTHON_VER=notset
 ARG RAPIDS_VER=26.04
+ARG SYFT_ALPINE_VER=notset
+ARG SYFT_VER=notset
 
 # Gather dependency information
 FROM python:${PYTHON_VER} AS dependencies
@@ -117,7 +119,7 @@ EOF
 # --- end 'rapidsai/miniforge-cuda' --- #
 
 # Base image
-FROM miniforge-cuda AS base
+FROM miniforge-cuda AS base-build
 ARG CUDA_VER=notset
 ARG PYTHON_VER=notset
 ARG RAPIDS_VER=26.04
@@ -186,8 +188,26 @@ ENTRYPOINT ["/home/rapids/entrypoint.sh"]
 
 CMD ["ipython"]
 
+############################# generate SBOM (base) #############################
+
+FROM --platform=$BUILDPLATFORM alpine:${SYFT_ALPINE_VER} AS base-sbom
+ARG SYFT_VER
+RUN \
+  --mount=type=bind,from=base-build,source=/,target=/rootfs,ro \
+  --mount=type=bind,source=scripts,target=/tmp/build-scripts \
+<<EOF
+SYFT_VER=${SYFT_VER} /tmp/build-scripts/install-syft
+IMAGE_REPO=base /tmp/build-scripts/generate-sbom
+EOF
+
+######################### final base image with SBOM ##########################
+
+FROM base-build AS base
+COPY --from=base-sbom /out/sbom.json /sbom/sbom.json
+USER rapids
+
 # Notebooks image
-FROM base AS notebooks
+FROM base AS notebooks-build
 
 ARG CUDA_VER=notset
 ARG LINUX_DISTRO=notset
@@ -266,3 +286,21 @@ LABEL com.nvidia.workbench.schema-version="v2"
 LABEL com.nvidia.workbench.user.gid="1000"
 LABEL com.nvidia.workbench.user.uid="1001"
 LABEL com.nvidia.workbench.user.username="rapids"
+
+########################## generate SBOM (notebooks) ###########################
+
+FROM --platform=$BUILDPLATFORM alpine:${SYFT_ALPINE_VER} AS notebooks-sbom
+ARG SYFT_VER
+RUN \
+  --mount=type=bind,from=notebooks-build,source=/,target=/rootfs,ro \
+  --mount=type=bind,source=scripts,target=/tmp/build-scripts \
+<<EOF
+SYFT_VER=${SYFT_VER} /tmp/build-scripts/install-syft
+IMAGE_REPO=notebooks /tmp/build-scripts/generate-sbom
+EOF
+
+######################## final notebooks image with SBOM #######################
+
+FROM notebooks-build AS notebooks
+COPY --from=notebooks-sbom /out/sbom.json /sbom/sbom.json
+USER rapids
diff --git a/context/.dockerignore b/context/.dockerignore
index 90ffe897..5aef5bef 100644
--- a/context/.dockerignore
+++ b/context/.dockerignore
@@ -9,5 +9,7 @@
 !scripts/configure-conda-base-environment
 !scripts/install-gha-tools
 !scripts/install-tzdata-packages
+!scripts/generate-sbom
+!scripts/install-syft
 !scripts/update-base-conda-environment
 !test_notebooks.py
diff --git a/context/scripts/generate-sbom b/context/scripts/generate-sbom
new file mode 100755
index 00000000..4c8d4b04
--- /dev/null
+++ b/context/scripts/generate-sbom
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# [description]
+#
+#   Generates a CycloneDX SBOM using Syft by scanning a mounted filesystem.
+#   Designed to run on Alpine Linux (the sbom Docker stage).
+#
+#   Required environment variables:
+#     IMAGE_REPO  - Image repository name (e.g., "base"), used for --source-name
+#
+#   Expects:
+#     - Syft installed at /usr/local/bin/syft (from install-syft script)
+#     - Target filesystem mounted at /rootfs (read-only bind mount from build stage)
+#
+
+set -eu
+
+if [ "${IMAGE_REPO:-}" = "" ] || [ "${IMAGE_REPO}" = "notset" ]; then
+    echo "ERROR: IMAGE_REPO is not set" >&2
+    exit 1
+fi
+
+mkdir -p /out
+
+syft scan \
+    --source-name "rapidsai/${IMAGE_REPO}" \
+    --output cyclonedx-json@1.6=/out/sbom.json \
+    dir:/rootfs
diff --git a/context/scripts/install-syft b/context/scripts/install-syft
new file mode 100755
index 00000000..ede51e47
--- /dev/null
+++ b/context/scripts/install-syft
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# [description]
+#
+#   Installs the Syft binary (https://github.com/anchore/syft) for SBOM generation.
+#   Designed to run on Alpine Linux (the sbom Docker stage).
+#
+#   Required environment variables:
+#     SYFT_VER  - Syft release version (e.g., "1.32.0")
+#
+
+set -eu
+
+if [ "${SYFT_VER:-}" = "" ] || [ "${SYFT_VER}" = "notset" ]; then
+    echo "ERROR: SYFT_VER is not set" >&2
+    exit 1
+fi
+
+case "$(uname -m)" in
+    x86_64)  SYFT_ARCH="linux_amd64" ;;
+    aarch64) SYFT_ARCH="linux_arm64" ;;
+    *)
+        echo "ERROR: Unsupported architecture: $(uname -m)" >&2
+        exit 1
+        ;;
+esac
+
+apk add --no-cache curl tar ca-certificates
+
+curl -sSfL \
+    "https://github.com/anchore/syft/releases/download/v${SYFT_VER}/syft_${SYFT_VER}_${SYFT_ARCH}.tar.gz" \
+    | tar -xz -C /usr/local/bin syft
+
+chmod +x /usr/local/bin/syft
diff --git a/versions.yaml b/versions.yaml
index 84711848..130fd6cf 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -4,3 +4,7 @@
 MINIFORGE_VER: 25.11.0-0
 # renovate: datasource=github-releases depName=mikefarah/yq
 YQ_VER: 4.52.2
+# renovate: datasource=github-releases depName=anchore/syft
+SYFT_VER: 1.32.0
+# renovate: datasource=docker depName=alpine versioning=docker
+SYFT_ALPINE_VER: "3.20"