Encourage user to attest to their SBOM

[laurentsimon]

Hi

I'm one of the maintainers of OpenSSF project's SLSA native GitHub generators.

We would like to encourage users to add a provenance attestation to their SBOM documents. We can add a section "SBOM attestations" in our own documentation.

Similarly, encouraging users to generate SLSA attestation could be added to the documentation in this repo. Cross-linking to our repositories would be a great way to increase adoption of best practices across projects simultaneously.

Here's what I think the documentation would look like on the slsa-generator repo:

1. Download the binary from the opensbom-generator.
2. Verify the SLSA provenance of the binary (once Generate SLSA signature / provenance for your artifacts #272 is complete), using the slsa-verifier (We are releasing a GitHub action installer in the next couple weeks)
3. Run the sbomgenerator
4. Add a step to generate the attestation to the SBOM.

How does this sound? Would anyone be interested in helping out to make this happen?