Being able to offer generating an SBOM for the invocation image and bundle would be a great step in our security focus.
Talking to Syft on their Slack, they pointed us to this example for ingesting Syft as a Go lib.

Ideally, when users run porter publish command we would take a sbom (bool) flag. If true, then within pkg/porter/publish we would call a separate pkg/porter/publish/sbom.go that would do the generation required. We could separate out this feature into it's own package, or keep it within publish. The porter package is already kinda chunky, so maybe best to try and keep all the imports needed for this feature separate.

Note: The linked code generates a Syft SBOM, but we need an SPDX SBOM, so we would need to incorporate the use of formats into this code.