More documentation not only to generate the attestation for a SBOM but also to know how to verify it

[0GiS0]

Hi there 👋🏻

It would be great if there was some more documentation not only to generate the attestation for a SBOM but also to know how to verify what this action generates. Because if you are not an expert in this area it is difficult to know what to do once you launch this action.

I have been able to invoke this action for an image and for a binary but after that I don't know what to do with it 😖

Thank you so much

[bdehamer]

No matter what type of attestation you are generating (build provenance, SBOM, etc) you can use the gh attestation verify command to do the verification. More details in the docs: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli