diff --git a/sbom_generation.yaml b/sbom_generation.yaml
new file mode 100644
index 0000000..0b2709f
--- /dev/null
+++ b/sbom_generation.yaml
@@ -0,0 +1,46 @@
+# Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+
+# This OCI DevOps build specification file [1] generates a Software Bill of Materials (SBOM) of the repository.
+# The file is needed to run checks for third-party vulnerabilities and business approval according to Oracle's GitHub policies.
+# [1] https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm
+
+version: 0.1
+component: build
+timeoutInSeconds: 1000
+shell: bash
+
+steps:
+  - type: Command
+    name: "Install Node.js 22 and matching npm"
+    command: |
+      # Ref https://github.com/oracle/netsuite-suitecloud-sdk/blob/master/sbom_generation.yaml
+      curl -fsSL https://rpm.nodesource.com/setup_18.x | bash -
+      yum install -y nodejs
+      node -v
+      npm -v
+  - type: Command
+    name: "Install corepack"
+    command: |
+      cd extension-api
+      npm install -g corepack
+  - type: Command
+    name: "Install latest yarn"
+    command: |
+      cd extension-api
+      yarn set version stable
+      yarn install
+  - type: Command
+    name: "Install extension-api dependencies"
+    command: |
+      cd extension-api
+      yarn install
+  - type: Command
+    name: "Run cyclonedx-node-yarn on extension-api"
+    command: |
+      cd extension-api
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-node-yarn/blob/main/README.md
+      yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --production --output-format JSON --output-file artifactSBOM.json --spec-version 1.4
+outputArtifacts:
+  - name: artifactSBOM
+    type: BINARY
+    location: ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json