diff --git a/pipeline.yml b/pipeline.yml
index 89fecb0..467bb48 100644
--- a/pipeline.yml
+++ b/pipeline.yml
@@ -5,6 +5,8 @@ stages:
 variables:
   GO_VERSION: "1.22"
   GOLANGCI_LINT_VERISON: "v1.58.0"
+  SYFT_VERSION: "v1.3.0"
+  GRYPE_VERSION: "v0.77.2"
 
 gitlab_generic_package:
   stage: deploy
diff --git a/pipelines/golang.yml b/pipelines/golang.yml
index a81b7aa..ebd8c8d 100644
--- a/pipelines/golang.yml
+++ b/pipelines/golang.yml
@@ -1,6 +1,5 @@
 stages:
   - build
-  - package
   - validate
   - publish 
 
@@ -38,6 +37,18 @@ golang-lint:
       exists:
         - "go.mod"  
 
+generate_sbom:
+  extends: .generate_sbom
+  stage: validate
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
+
+generate_cve:
+  extends: .generate_cve
+  stage: validate
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
+
 version:
   extends: .version
   stage: .pre
@@ -63,7 +74,6 @@ docker-build:
     - job: version
       optional: true
       artifacts: true        
-  rules:
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
       exists:
diff --git a/scripts/scanner/grype.sh b/scripts/scanner/grype.sh
new file mode 100644
index 0000000..fa549db
--- /dev/null
+++ b/scripts/scanner/grype.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+#%%MULTILINE_YAML_START
+#grype scan sboms
+
+for i in syft/*.sbom.json;
+do filename=${i%*.sbom.json};
+  filename=${filename##/};
+  grype syft/$i -o json --file syft/$filename.cve.json;
+done
diff --git a/scripts/scanner/syft-go.sh b/scripts/scanner/syft-go.sh
new file mode 100644
index 0000000..ca15091
--- /dev/null
+++ b/scripts/scanner/syft-go.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#%%MULTILINE_YAML_START
+#Syft scan for go
+
+if [ -f "go.mod" ]; then
+    syft go.mod -o cyclonedx-json=syft/${CI_PROJECT_NAME}.sbom.json
+fi
diff --git a/scripts/scanner/syft-mkdir.sh b/scripts/scanner/syft-mkdir.sh
new file mode 100644
index 0000000..4cd9c27
--- /dev/null
+++ b/scripts/scanner/syft-mkdir.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+#%%MULTILINE_YAML_START
+#mkdir for syft files
+
+mkdir $CI_PROJECT_DIR/syft
diff --git a/templates/codescan.tpl.yml b/templates/codescan.tpl.yml
new file mode 100644
index 0000000..400e8b1
--- /dev/null
+++ b/templates/codescan.tpl.yml
@@ -0,0 +1,18 @@
+.generate_sbom:
+  image: registry.internal.durp.info/anchore/syft:${SYFT_VERSION}
+  script:
+    - ./scripts/scanner/syft-mkdir.sh
+    - ./scripts/scanner/syft-go.sh
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - $CI_PROJECT_DIR/syft
+
+.generate_cve:
+  image: registry.internal.durp.info/anchore/grype:${GRYPE_VERSION}
+  script:
+    - ./scripts/scanner/grype.sh
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - $CI_PROJECT_DIR/syft