Request for guidance on integrating SPDX SBOM and license info into Github attestations (beta)

[puria]

Hi REUSE team,

First, I want to thank you for the amazing work you’ve done with REUSE! Most of my repositories (orgnization wise) are REUSE-compliant, and I really appreciate the tool’s help in managing licenses.

I’m relatively new to supply chain security concepts and I’m trying to understand how to integrate the SPDX SBOM and license data generated by the reuse spdx command into software supply chain attestations, particularly with Cosign or GitHub attestations. If I’m misunderstanding anything, I’d really appreciate your forgiveness and any guidance you can provide.

Questions:

1. How can the SPDX SBOM from reuse spdx be added to attestations in Cosign or GitHub?
2. What’s the best way to include licensing info (e.g., SPDX license files) in an attestation?
3. Does REUSE plan to support integrations with Cosign or GitHub attestations, or are there recommended workflows for this?

I’m sorry if I’m missing something. I’d greatly appreciate any examples or advice you can offer to help me understand how to integrate SPDX and licensing info into supply chain attestations.

Thanks again for your work and support!