This could be enabled thru a sbom-generate: true and sbom-format: xxx options. I think a scan of the package.json would work, although I'm not 100% sure if additional deps could be pulled in thru the script...
A larger question we need to answer before doing that is how we attest to the SBOM: thru a dedicated provenance, thru a new predicateType, thru byproduct of the existing provenance.
This could be enabled thru a
sbom-generate: trueandsbom-format: xxxoptions. I think a scan of the package.json would work, although I'm not 100% sure if additional deps could be pulled in thru the script...A larger question we need to answer before doing that is how we attest to the SBOM: thru a dedicated provenance, thru a new predicateType, thru byproduct of the existing provenance.