GitHub Actions artifact build do not have SBOM attestation in pipeline

Cosign can be used to sign pipeline artifacts to ensure their integrity and prevent tampering prior to and after deployment. Signing SBOMs ensures that no changes were made to an application between the code and deploy phases.

Example Fix

Add cosign sign to sign SBOMs. There are many ways to do this as a job or step in a GitHub Actions pipeline. Below is one example for signing an SBOM.

+ run: cosign attest --predicate sbom.json --type https://cyclonedx.org/bom --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE }}

OR

+ run: cosign sign --key cosign.key container:sha256-1234.sbom