diff --git a/.github/workflows/generate-merge-boms.yml b/.github/workflows/generate-merge-boms.yml
new file mode 100644
index 000000000000..50b23f38f675
--- /dev/null
+++ b/.github/workflows/generate-merge-boms.yml
@@ -0,0 +1,51 @@
+name: Generate and Merge SBOMs and Upload them to DependencyTrack every night
+
+on:
+ schedule:
+ - cron: "0 0 * * *" # Run every day at midnight
+
+concurrency:
+ group: ${{ github.workflow}}-${{ github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ create-boms:
+ runs-on: ubuntu-latest
+ defaults:
+ run:
+ working-directory: dhis-2/
+
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ fetch-depth: 0
+ - name: Set up JDK 17
+ uses: actions/setup-java@v4
+ with:
+ java-version: 17
+ distribution: temurin
+ cache: maven
+
+ - name: Install CycloneDX CLI
+ run: |
+ curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i -
+ sudo mv cyclonedx-linux-x64 /usr/local/bin/
+ sudo chmod +x /usr/local/bin/cyclonedx-linux-x64
+
+ - name: Generate BOMs
+ run: mvn cyclonedx:makeBom
+
+ - name: Merge BOMs
+ run: cyclonedx-linux-x64 merge --input-files $(find . -name 'dxbom.json') --input-format json --output-file target/merged-bom.json --output-format json
+
+ - name: Upload SBOM to DependencyTrack
+ env:
+ DEPENDENCY_TRACK_API: "https://dt.security.dhis2.org/api/v1/bom"
+ run: |
+ curl -X POST "$DEPENDENCY_TRACK_API" \
+ --fail-with-body \
+ -H "Content-Type: multipart/form-data" \
+ -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
+ -F "project=56383704-d5a2-4a35-ad6a-081f80f5d6d3" \
+ -F "bom=@target/merged-bom.json"
diff --git a/dhis-2/pom.xml b/dhis-2/pom.xml
index ead83aebaee0..0fbd5423e9fe 100644
--- a/dhis-2/pom.xml
+++ b/dhis-2/pom.xml
@@ -1882,6 +1882,28 @@
sonar-maven-plugin
5.0.0.4389
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+
+ library
+ 1.6
+ true
+ true
+ true
+ true
+ true
+ false
+ false
+ true
+ all
+ dxbom
+ ${project.build.directory}
+
+ false
+
+
+
org.codehaus.mojo
versions-maven-plugin