Generate and sign an SBOM for the released binaries

[dadrus]

Preflight checklist

• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines."
• I have discussed this feature request with the community.

Describe the background of your feature request

As high-profile cyberattacks continue to grow, many organizations request an SBOM, which can help them to identify components and assets which needs an update. Additionally, SBOM can help organizations improving their licensing compliance by providing detailed information about the associated licenses.

Indeed, providing SBOM is even mandatory for federal contracts.

Describe your idea

For the reasons, described above heimdall releases should include an SBOM. To have an attestation, the released SBOM shall be signed.

Are there any workarounds or alternatives?

Building an SBOM from the released container image, e.g. using syft.

Version

v0.11.0-alpha

Additional Context

No response