Add attestation workflow to README (#759)

* add attestation workflow to README

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

README.md

@@ -413,3 +413,35 @@ anchore:
   # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
   dockerfile: ""
 ```
+
+### Adding an SBOM to an image as an attestation
+SBOMs themselves can serve as input to different analysis tools. The Anchore organization offers the vulnerability scanner
+[grype](https://github.com/anchore/grype) as one such tool.
+One of the foundational approaches to "trust" between tools is for producers to use the artifacts generated by syft as attestations to their images.
+The SBOM output of syft can be used with the [cosign](https://github.com/sigstore/cosign) tool to generate an attestation that is attached to a signed image.
+
+#### Example attest
+Note for the following example replace `test/image:latest` with an image you own. You should also have push access to 
+its remote reference. Replace $MY_PRIVATE_KEY with a private key you own or have generated with cosign.
+
+```bash
+cosign sign -key $MY_PRIVATE_KEY test/image:latest
+syft test/image:latest -o json > test_latest_sbom.json
+cosign attest -predicate test_latest_sbom.json -key $MY_PRIVATE_KEY
+```
+
+Verify the new attestation exists on your image
+```bash
+cosign verify-attestation -key $MY_PUBLIC_KEY test/image:latest | jq '.payload |= @base64d | .payload | fromjson | .predicate.Data | fromjson | .'
+```
+
+You should see this output along with the attached SBOM.
+```
+Verification for test/image:latest --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - The signatures were verified against the specified public key
+  - Any certificates were verified against the Fulcio roots.
+```
+
+Consumers of your image can now trust that the SBOM associated with your image is correct and from a trusted source.