Open
Description
Summary of the new feature / enhancement
As an infrastructure engineer, I want to be able to review a software bill of materials (SBOM) for a resource before I use it in my production environment, so I can comply with regulations/policies and have increased confidence in the provenance of the software that modifies my systems.
Proposed technical implementation details (optional)
Ideally, we should be able to have a manifest at least point to an SBOM that describes the commands the manifest uses. Potentially, we could reuse the path discovery mechanism to look for SBOMs by convention relative to the manifest file.
I can think of a few potential further integrations, but at least being able to associate the SBOM with the resource seems like a first step.