diff --git a/cmd/build.go b/cmd/build.go
index 415827cb..75601624 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -241,6 +241,7 @@ func addBuildFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool("report-github", os.Getenv("GITHUB_OUTPUT") != "", "Report package build success/failure to GitHub Actions using the GITHUB_OUTPUT environment variable")
 	cmd.Flags().Bool("fixed-build-dir", true, "Use a fixed build directory for each package, instead of based on the package version, to better utilize caches based on absolute paths (defaults to true)")
 	cmd.Flags().Bool("docker-export-to-cache", false, "Export Docker images to cache instead of pushing directly (enables SLSA L3 compliance)")
+	cmd.Flags().Bool("disable-sbom", false, "Disable SBOM generation during build (overrides workspace config)")
 }
 
 func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, cache.LocalCache) {
@@ -412,6 +413,17 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, cache.LocalCache) {
 		dockerExportSet = true
 	}
 
+	// Get disable-sbom setting (env var as default, CLI flag overrides)
+	disableSBOMDefault := os.Getenv(EnvvarDisableSBOM) == "true"
+	disableSBOM, err := cmd.Flags().GetBool("disable-sbom")
+	if err != nil {
+		log.Fatal(err)
+	}
+	// If flag wasn't explicitly set, use environment variable
+	if !cmd.Flags().Changed("disable-sbom") {
+		disableSBOM = disableSBOMDefault
+	}
+
 	return []leeway.BuildOption{
 		leeway.WithLocalCache(localCache),
 		leeway.WithRemoteCache(remoteCache),
@@ -430,6 +442,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, cache.LocalCache) {
 		leeway.WithInFlightChecksums(inFlightChecksums),
 		leeway.WithDockerExportToCache(dockerExportToCache, dockerExportSet),
 		leeway.WithDockerExportEnv(dockerExportEnvValue, dockerExportEnvSet),
+		leeway.WithDisableSBOM(disableSBOM),
 	}, localCache
 }
 
diff --git a/cmd/root.go b/cmd/root.go
index 9d5e6088..d4a7cb48 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -60,6 +60,9 @@ const (
 
 	// EnvvarMaxSigningConcurrency configures maximum concurrent signing operations
 	EnvvarMaxSigningConcurrency = "LEEWAY_MAX_SIGNING_CONCURRENCY"
+
+	// EnvvarDisableSBOM disables SBOM generation during builds
+	EnvvarDisableSBOM = "LEEWAY_DISABLE_SBOM"
 )
 
 const (
@@ -134,6 +137,7 @@ variables have an effect on leeway:
 <light_blue>LEEWAY_SLSA_SOURCE_URI</strong> Expected source URI for SLSA verification (github.com/owner/repo).
 <light_blue>LEEWAY_SLSA_REQUIRE_ATTESTATION</strong> Require valid attestations; missing/invalid → build locally (true/false).
 <light_blue>LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS</strong> Enable checksumming of cache artifacts (true/false).
+ <light_blue>LEEWAY_DISABLE_SBOM</strong> Disable SBOM generation during builds (true/false).
 <light_blue>LEEWAY_EXPERIMENTAL</strong> Enables experimental leeway features and commands.
 `),
 	PersistentPreRun: func(cmd *cobra.Command, args []string) {
diff --git a/pkg/leeway/build.go b/pkg/leeway/build.go
index 2c33e5b5..16e13650 100644
--- a/pkg/leeway/build.go
+++ b/pkg/leeway/build.go
@@ -492,6 +492,8 @@ type buildOptions struct {
 	DockerExportEnvValue bool // Value from explicit user env var
 	DockerExportEnvSet bool // Whether user explicitly set env var (before workspace)
 
+	DisableSBOM bool // Disable SBOM generation (overrides workspace config)
+
 	context *buildContext
 }
 
@@ -640,6 +642,14 @@ func WithDockerExportEnv(value, isSet bool) BuildOption {
 	}
 }
 
+// WithDisableSBOM disables SBOM generation during build (overrides workspace config)
+func WithDisableSBOM(disable bool) BuildOption {
+	return func(opts *buildOptions) error {
+		opts.DisableSBOM = disable
+		return nil
+	}
+}
+
 func withBuildContext(ctx *buildContext) BuildOption {
 	return func(opts *buildOptions) error {
 		opts.context = ctx
@@ -897,7 +907,8 @@ func Build(pkg *Package, opts ...BuildOption) (err error) {
 	// This ensures we scan even cached packages that weren't rebuilt
 	// Only scan packages that were successfully built or downloaded to avoid
 	// errors when a dependency build failed in a parallel goroutine
-	if pkg.C.W.SBOM.Enabled && pkg.C.W.SBOM.ScanVulnerabilities {
+	// DisableSBOM build option overrides workspace config.
+	if pkg.C.W.SBOM.Enabled && pkg.C.W.SBOM.ScanVulnerabilities && !ctx.DisableSBOM {
 		if err := scanAllPackagesForVulnerabilities(ctx, allpkg, pkgstatus); err != nil {
 			return err
 		}
@@ -1261,7 +1272,8 @@ func (p *Package) build(buildctx *buildContext) (err error) {
 
 	// Generate SBOM if enabled (after packaging - written alongside artifact)
 	// SBOM files are stored outside the tar.gz to maintain artifact determinism.
-	if p.C.W.SBOM.Enabled {
+	// DisableSBOM build option overrides workspace config.
+	if p.C.W.SBOM.Enabled && !buildctx.DisableSBOM {
 		if par, ok := buildctx.Reporter.(PhaseAwareReporter); ok {
 			par.PackageBuildPhaseStarted(p, PackageBuildPhaseSBOM)
 		}
</div><div class="naked_ctrl">
<form action="/index.cgi/contrast" method="get" name="gate">
<p><a href="http://altstyle.alfasado.net">AltStyle</a> によって変換されたページ <a href="https://patch-diff.githubusercontent.com/raw/gitpod-io/leeway/pull/336.diff">(-&gt;オリジナル)</a>
/ <label>アドレス: <input type="text" name="naked_post_url" value="https://patch-diff.githubusercontent.com/raw/gitpod-io/leeway/pull/336.diff" size="22" /></label> <label>モード: <select name="naked_post_mode">
<option value="default">デフォルト</option>
<option value="speech">音声ブラウザ</option>
<option value="ruby">ルビ付き</option>
<option value="contrast" selected="selected">配色反転</option>
<option value="larger-text">文字拡大</option>
<option value="mobile">モバイル</option>
</select>
<input type="submit" value="表示" />
</p>
</form>
</div>