Open ianlewis opened 1 year ago
Having some examples of generating provenance for artifacts other than packages or binaries would demonstrate that the generic workflow can be used to generate provenance for files like SBOMs, sarif files, or vulnerability scan results.
for SBOM, https://github.com/microsoft/sbom-tool is a in-build tool which looks useful.
and https://github.com/opensbom-generator/
Having some examples of generating provenance for artifacts other than packages or binaries would demonstrate that the generic workflow can be used to generate provenance for files like SBOMs, sarif files, or vulnerability scan results.