Feature: Check for SBOMs in CI/CD Artifacts as well as releases

[ashearin]

Describe the solution you'd like Currently we check for SBOMS only in release assets and source code. We should also be checking for SBOMS generated as part of the CI/CD workflow. Since a projects SBOM needs to be regenerated anytime there is a change to a dependency or dependency version, it's a good habit to be rescanning and regenerating the sbom on commits to the default branch. This is also the logical first step to releasing the SBOM as part of the release assets, so credit should be given if SBOMs are consistently generated in CI/CD but not yet as part of a release.

This could potentially be implemented using existing interface methods for gathering similar information. Although the difference between how github/gitlab handle CI/CD might push us to create an interface method for SBOM gathering to abstract away necessary work. More investigation on the best way to accomplish this is needed on my part.

Additional context This wouldn't negatively affect scoring in the release SBOM probe for those currently utilizing this experimental check. It would expand what qualifies as a True Outcome for the hasReleaseSBOM probe.

[github-actions[bot]]

This issue has been marked stale because it has been open for 60 days with no activity.