Trivy Question -- add to in-toto friends

[AnaisUrlichs]

Hi there, I would love to add Trivy to the repo -- however, I am not sure whether Trivy qualifies
We use in-toto attestations through Cosign.
Trivy can take an SBOM attestation as input and scan for vulnerabilities.

Here is the link to our docs https://aquasecurity.github.io/trivy/v0.38/docs/attestation/sbom/
If this qualifies, I would love to add Trivy.

[adityasaky]

IMO the ability to consume in-toto attestations qualifies. @SantiagoTorres, @in-toto/attestation-maintainers WDYT?

[SantiagoTorres]

it can also generate though!

[marcelamelara]

+1 to adding Trivy, it's a great use case and shows broader ecosystem interactions.

[Ayush9026]

/assign @Ayush9026 i will add trivy to the repo.