In the Pipelines doc for viewing an SBOM, a Task example is given with incomplete commands, uses a reference to an undocumented Quay endpoint and without a Syft image even though one exists from catalog.redhat.com.

Syft is often combined with cosign to generate an SBOM and attach it to an image in a registry. Maybe a better Task example should use two steps, one using a Syft image, one with a Cosign and an emptyDir workspace shared between the steps for the JSON SBOM.

This documentation should provide a usable example or at least point users toward Red Hat Trusted Software Supply Chain tools.