Feat: re-enable SBOM creation during build using external scanners #755
Description
Is your feature request related to a problem? Please describe.
sbom creation support is a useful feature but was not well used and caused some mainenance work to keep up with the dependencies it brought into the build and thus the stacker libraries.
It has been removed but we should have a plan for reenabling it because creating the sbom at build time and and embedding the info about the tooling that created it into the artifacts makes it easier to trace the chain of trusted tools.
Describe the solution you'd like
@raharper has proposed an alternate solution where stacker would bind in an external binary and use it to generate an SPDX bom just as stacker-bom did. this would let us support multiple scanners as well as removing the deps from stacker itself and its libraries.
Describe alternatives you've considered
No response
Additional context
No response