docs(security): add SBOM verification instructions to SECURITY.md

### Issue Description

Part of #256

Add SBOM attestation verification instructions to `SECURITY.md`, extending the existing build provenance verification section with SBOM-specific guidance.

### Implementation

Add a new section after the existing "Verifying Build Provenance" section in `SECURITY.md`:

1. **What the SBOM contains** — brief explanation of SPDX format and component inventory
2. **Verification command** — `gh attestation verify` with SBOM predicate type (`https://spdx.dev/Document/v2.3`)
3. **Downloading the SBOM** — how to retrieve the `.spdx.json` file from the GitHub Release
4. **Inspecting the SBOM** — how to read and query the SPDX JSON contents
5. **Distribution channel table** — update existing table if present to show SBOM availability

### Acceptance Criteria

- [ ] SBOM verification section added to `SECURITY.md`
- [ ] `gh attestation verify` command documented with correct SBOM predicate type
- [ ] Instructions for downloading and inspecting the SBOM included
- [ ] Consistent formatting with existing build provenance verification section

### References

- [GitHub Artifact Attestations — Verifying](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations)
- [SPDX 2.3 Specification](https://spdx.github.io/spdx-spec/v2.3/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs(security): add SBOM verification instructions to SECURITY.md #454

Issue Description

Implementation

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

docs(security): add SBOM verification instructions to SECURITY.md #454

Description

Issue Description

Implementation

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions