What is your question?

Is there a way out-of-the-box to attach a Software Bill of Material to patched images, see for example this.
I searched in the docs and in the code but could not find anything.
It will be super usefull, especially when using copa github action.

@R3DRUN3 not at this time, out of box sbom generation (docker implementation) would require #298

you can generate container sboms with 3rd party tooling such as trivy sbom or syft today though.
there are a few options for attaching secure supply chain artifacts, such as attaching via referrers (used by oras), tags (used by cosign) or part of oci index/manifest list (used by docker)

@sozercan Thank you!
At present, I have implemented my use case using Syft.