diff --git a/.github/workflows/config/syft.yml b/.github/workflows/config/syft.yml
new file mode 100644
index 0000000..f2f4140
--- /dev/null
+++ b/.github/workflows/config/syft.yml
@@ -0,0 +1,6 @@
+# For studio-client Olugins you can skip the scanning process
+# because Plugins are not supposed to introduce new dependencies.
+# The dependencies in the lockfile are considered provided dependencies.
+# The actual version is determined by the studio-client application.
+exclude:
+  - "./studio-client/**/pnpm-lock.yaml"
diff --git a/.github/workflows/createAndScanSBOM.yml b/.github/workflows/createAndScanSBOM.yml
index 8bb9cf6..85ef8d3 100644
--- a/.github/workflows/createAndScanSBOM.yml
+++ b/.github/workflows/createAndScanSBOM.yml
@@ -15,26 +15,27 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      # The SBOM action generates and SBOM with the given format and automatically
+      # attaches it to the release, if it was triggered in the context of a release event.
       - name: Generate SBOM with Syft
         uses: anchore/sbom-action@v0
         with:
           path: .
           output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
           format: "cyclonedx-json"
-          config: ".syft/config.yml"
+          config: ".github/workflows/config/syft.yml" # config to exclude pnpm-lock.yaml
 
+      # Scans the SBOM for vulnerabilities with Grype
       - name: Scan SBOM with Grype
         id: scan
         uses: anchore/scan-action@v5
         with:
           fail-build: false
-          by-cve: true
-          cache-db: true
+          by-cve: true # Prefer using CVE ids over GHSA ids
+          cache-db: true # Minimize risk of hitting rate limits
           sbom: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
 
-      - name: Verify SARIF file
-        run: cat ${{ steps.scan.outputs.sarif }}
-
+      # Upload the scan results to GitHub Security tab
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v3
         with:
diff --git a/.syft/config.yml b/.syft/config.yml
deleted file mode 100644
index 242e562..0000000
--- a/.syft/config.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-# a list of globs to exclude from scanning, for example:
-# exclude:
-#   - "/etc/**"
-#   - "./out/**/*.json"
-# SYFT_EXCLUDE env var / --exclude flag
-#
-# For studio-client plugins you can skip the scanning process
-# because they are not supposed to introduce new dependencies.
-# The dependencies in the lockfile are considered runtime dependencies.
-# The actual version is determined by the studio-client application.
-exclude:
-  - "./studio-client/**"