From 332258a9c1fc4f3c65217d95029794c261e7d5ff Mon Sep 17 00:00:00 2001
From: Chip Zoller <chipzoller@gmail.com>
Date: Wed, 16 Oct 2024 09:51:10 -0400
Subject: [PATCH] update SBOM verification step to switch type to SPDX (#76)

Signed-off-by: chipzoller <chipzoller@gmail.com>
---
 SECURITY.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 4f47443..657603d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -72,10 +72,10 @@ slsa-verifier verify-image gcr.io/kubecost1/disk-autoscaler@<digest> --source-ur
 
 ## Verify SBOM
 
-Use the [Sigstore cosign](https://github.com/sigstore/cosign) tool to verify a software bill of materials (SBOM), using the [CycloneDX](https://cyclonedx.org/) standard, has been attested using the [keyless method](https://docs.sigstore.dev/signing/overview/).
+Use the [Sigstore cosign](https://github.com/sigstore/cosign) tool to verify a software bill of materials (SBOM), using the [SPDX](https://spdx.dev/) standard, has been attested using the [keyless method](https://docs.sigstore.dev/signing/overview/).
 
 ```sh
-cosign verify-attestation --type cyclonedx gcr.io/kubecost1/disk-autoscaler:$TAG --certificate-identity-regexp="https://github.com/kubecost/disk-autoscaler/.github/workflows/release.yaml@refs/tags/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq .payload -r | base64 --decode | jq
+cosign verify-attestation --type spdxjson gcr.io/kubecost1/disk-autoscaler:$TAG --certificate-identity-regexp="https://github.com/kubecost/disk-autoscaler/.github/workflows/release.yaml@refs/tags/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq .payload -r | base64 --decode | jq
 ```
 
 The SBOM is also available as an offline release asset for every tagged release.