Consider creating an attestation predicate

[puerco]

The security insights data file captures information about the state of the project at a particular commit that is, essentially, a set of claims about it.

I think the project should consider creating a json variant that can be used as a predicate for an ( @in-toto ) attestation. This would allow us to sign and embed the security insights file (for example in a @sigstore bundle) using the existing tooling from those ecosystems.

[eddie-knight]

Hey @puerco what do you think of the following?

I've got this drafted in #96 right now.

project:
  release:
      ...
      provenance:
        cryptography:
          attestation: https://foo.bar/attestation
          algorithm: sha256
        vex-data: https://foo.bar/vex
        hash-manifest: https://foo.bar/hash-manifest

[eddie-knight]

Worked with @puerco offline to design a new attestation object type that will support this. It will be included in the upcoming release (#97).