Not every image will have SBOMs attached to it (especially as it requires opt-in).
If an SBOM is requested, but one is not attached, we should attempt to create a scan of the image using one of the buildkit scanners as a fallback. This allows consumers of the library to more transparently consume SBOM results, and easily query it - this could be massively useful for the docker sbom command and similar.
We should probably only enable this behavior if there's some user-specified config to do this, so we should have a global config object for the loader that allows configuration of this behavior.
Not every image will have SBOMs attached to it (especially as it requires opt-in).
If an SBOM is requested, but one is not attached, we should attempt to create a scan of the image using one of the buildkit scanners as a fallback. This allows consumers of the library to more transparently consume SBOM results, and easily query it - this could be massively useful for the
docker sbomcommand and similar.We should probably only enable this behavior if there's some user-specified config to do this, so we should have a global config object for the loader that allows configuration of this behavior.