diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 5dda1f5..78d4a74 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -124,6 +124,7 @@ jobs:
           --label org.opencontainers.image.vendor="Componentized <https://github.com/componentized>" \
           --label org.opencontainers.image.version="${{ inputs.tag }}" \
           --label org.opencontainers.image.url="${{ github.server_url }}/${{ github.repository }}" \
+          --sbom=true \
           .
 
         mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}"
diff --git a/Dockerfile b/Dockerfile
index 32b4fc3..09688b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,8 +5,9 @@ RUN \
   apt-get update ; \
   apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y ; \
   rustup target add $(arch)-unknown-linux-musl ; \
+  cargo install --locked cargo-auditable ; \
   if [ "${wasmtime_crate}" = "" ] ; then \
-    cargo install \
+    cargo auditable install \
       --target "$(arch)-unknown-linux-musl" \
       --git https://github.com/bytecodealliance/wasmtime.git \
       --rev "${wasmtime_git_rev}" \
@@ -14,7 +15,7 @@ RUN \
       wasmtime-cli \
     ; \
   else \
-    cargo install \
+    cargo auditable install \
       --target "$(arch)-unknown-linux-musl" \
       --locked \
       wasmtime-cli@${wasmtime_crate} \