SBOM and Image Signing
Syft generates a CycloneDX or SPDX SBOM for every published runtime image. The SBOM is retained as a workflow artifact initially and attached as an OCI artifact or attestation as registry support matures.
Cosign signs release and main image digests using keyless identity where feasible. Signing a mutable tag is insufficient; the signature binds to the digest.
Deployment verification is a later control: admission policy may require signatures from the approved Nexa CI identity. The current phase establishes reliable generation, retention, and traceability first.