diff --git a/.github/workflows/c4po-sbom.yml b/.github/workflows/c4po-sbom.yml
new file mode 100644
index 0000000..9441a65
--- /dev/null
+++ b/.github/workflows/c4po-sbom.yml
@@ -0,0 +1,122 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: "Supply Chain Security C4PO SBOM Demo"
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+
+env:
+  ANGULAR_PATH: security-c4po-angular
+  API_PATH: security-c4po-api
+  REPORTING_PATH: security-c4po-reporting
+  CFG_PATH: security-c4po-cfg
+
+  ANGULAR_CLI_VERSION: 13
+
+
+jobs:
+
+  angular_job:
+    name: "Angular Job"
+
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+
+      - name: "Use Node.js 14.x"
+        uses: actions/setup-node@v1
+        with:
+          node-version: '14.x'
+          cache: 'npm'
+          
+      - name: "Install NPM dependencies"
+        run: |
+          cd $ANGULAR_PATH
+          npm ci
+
+      - name: "Build assets"
+        run: |
+          cd $ANGULAR_PATH
+          npm run build --if-present
+
+      - name: "Run tests"
+        run: |
+          cd $ANGULAR_PATH
+          npm test
+
+      - name: Generate CycloneDX SBOM
+        id: cyclonedx
+        uses: CycloneDX/action-generate@v1
+        with:
+          output: 'sbom.xml'
+
+      - name: Analyze SBOM with CSAF
+        id: csaf
+        uses: CycloneDX/action-analyze-csaf@v1
+        with:
+          sbom: 'sbom.xml'
+    
+      - name: Print analysis results
+        run: echo "${{ steps.csaf.outputs.analysis }}"
+
+# shift + cmd + /
+#   api_job:
+#     name: "API Job"
+
+#     runs-on: ubuntu-latest
+    
+#     steps:
+#       - name: "Check out code"
+#         uses: actions/checkout@v3
+
+#       - name: "Set up JDK 11"
+#         uses: actions/setup-java@v3
+#         with:
+#           java-version: '11'
+#           distribution: 'temurin'
+
+#       - name: "Setup Gradle"
+#         uses: gradle/gradle-build-action@v2
+#         with:
+#           gradle-version: 6.5
+
+#       - name: "Execute Gradle build"
+#         run: |
+#           cd $API_PATH
+#           ./gradlew clean build -x dependencyCheckAnalyze
+
+#   reporting_job:
+#     name: "Reporting Job"
+
+#     runs-on: ubuntu-latest
+    
+#     steps:
+#       - name: "Check out code"
+#         uses: actions/checkout@v3
+
+#       - name: "Set up JDK 11"
+#         uses: actions/setup-java@v3
+#         with:
+#           java-version: '11'
+#           distribution: 'temurin'
+
+#       - name: "Setup Gradle"
+#         uses: gradle/gradle-build-action@v2
+#         with:
+#           gradle-version: 6.5
+
+#       - name: "Execute Gradle build"
+#         run: |
+#           cd $REPORTING_PATH
+#           ./gradlew clean build