From 91f4467a1f856edddc89d0ca31609dfab40aba15 Mon Sep 17 00:00:00 2001
From: Nick Piper <nick.piper@cgi.com>
Date: Sat, 29 Oct 2022 21:18:53 +0100
Subject: [PATCH] docs: update attestation directions with new cosign changes

---
 README.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cd09cf407..9c01f6d62 100644
--- a/README.md
+++ b/README.md
@@ -623,14 +623,14 @@ Note for the following example replace `docker.io/image:latest` with an image yo
 its remote reference. Replace `$MY_PRIVATE_KEY` with a private key you own or have generated with cosign.
 
 ```bash
-syft attest --key $MY_PRIVATE_KEY docker.io/image:latest > image_latest_sbom_attestation.json
+syft attest --key $MY_PRIVATE_KEY -o spdx-json docker.io/image:latest > image_latest_sbom_attestation.json
 cosign attach attestation --attestation image_latest_sbom_attestation.json docker.io/image:latest
 ```
 
 Verify the new attestation exists on your image.
 
 ```bash
-cosign verify-attestation -key $MY_PUBLIC_KEY docker.io/image:latest | jq '.payload | @base64d | .payload | fromjson | .predicate'
+cosign verify-attestation --key $MY_PUBLIC_KEY --type spdxjson docker.io/image:latest | jq '.payload | @base64d | .payload | fromjson | .predicate'
 ```
 
 You should see this output along with the attached SBOM:
@@ -644,3 +644,10 @@ The following checks were performed on each of these signatures:
 ```
 
 Consumers of your image can now trust that the SBOM associated with your image is correct and from a trusted source.
+
+The SBOM can be piped to Grype:
+
+
+```bash
+cosign verify-attestation --key $MY_PUBLIC_KEY --type spdxjson docker.io/image:latest | jq '.payload | @base64d | .payload | fromjson | .predicate' | grype
+```