docs: add content on validating sbom attestations (#54918)

joshjohanning · sabrowning1 · jc-clark · web-flow · commit 196b84e4fd2f · 2025-03-20T22:31:25.000Z
Co-authored-by: Sam Browning &lt;106113886+sabrowning1@users.noreply.github.com&gt;
Co-authored-by: Joe Clark &lt;31087804+jc-clark@users.noreply.github.com&gt;
diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md b/content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md
@@ -177,12 +177,20 @@ When you run your updated workflows, they will build your artifacts and generate
 
 ## Verifying artifact attestations with the {% data variables.product.prodname_cli %}
 
+You can validate artifact attestations for binaries and container images and validate SBOM attestations using the {% data variables.product.prodname_cli %}. For more information, see the [`attestation`](https://cli.github.com/manual/gh_attestation) section of the {% data variables.product.prodname_cli %} manual.
+
+>[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see [AUTOTITLE](/actions/security-guides/verifying-attestations-offline).
+
+### Verifying an artifact attestation for binaries
+
 To verify artifact attestations for **binaries**, use the following {% data variables.product.prodname_cli %} command.
 
 ```bash copy
 gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY -R ORGANIZATION_NAME/REPOSITORY_NAME
 ```
 
+### Verifying an artifact attestation for container images
+
 To verify artifact attestations for **container images**, you must provide the image's FQDN prefixed with `oci://` instead of the path to a binary. You can use the following {% data variables.product.prodname_cli %} command.
 
 ```bash copy
@@ -191,6 +199,24 @@ docker login ghcr.io
 gh attestation verify oci://ghcr.io/ORGANIZATION_NAME/IMAGE_NAME:test -R ORGANIZATION_NAME/REPOSITORY_NAME
 ```
 
->[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see [AUTOTITLE](/actions/security-guides/verifying-attestations-offline).
+### Verifying an attestation for SBOMs
+
+To verify SBOM attestations, you have to provide the `--predicate-type` flag to reference a non-default predicate. For more information, see [Vetted predicates](https://github.com/in-toto/attestation/tree/main/spec/predicates#vetted-predicates) in the `in-toto/attestation` repository.
 
-For more information, see the [`attestation`](https://cli.github.com/manual/gh_attestation) section of the {% data variables.product.prodname_cli %} manual.
+For example, the [`attest-sbom` action](https://github.com/actions/attest-sbom) currently supports either SPDX or CycloneDX SBOM predicates. To verify an SBOM attestation in the SPDX format, you can use the following {% data variables.product.prodname_cli %} command.
+
+```bash copy
+gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
+  -R ORGANIZATION_NAME/REPOSITORY_NAME \
+  --predicate-type https://spdx.dev/Document/v2.3
+```
+
+To view more information on the attestation, reference the `--format json` flag. This can be especially helpful when reviewing SBOM attestations.
+
+```bash copy
+gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
+  -R ORGANIZATION_NAME/REPOSITORY_NAME \
+  --predicate-type https://spdx.dev/Document/v2.3 \
+  --format json \
+  --jq '.[].verificationResult.statement.predicate'
+```
