This link provides two in-toto attestations for a BOSH release per go.mod file used by packages in the BOSH release:
- Software bill of materials (SBoM) generated using
syftand using the CycloneDX format. - Provenance for that SBoM, attesting that the packages in the SBoM are properly vendored into the repository and indicating the gosum checksums for each vendored dependencies.