support attaching attestation right after generate it

[developer-guy]

What would you like to be added:

While reading the blog post on Anchore's website about generating attestations with Syft (really excellent blog post, btw), We've noticed that to attach attestations to the image Syft requires additional cosign command, so, we can provide the same functionality in Syft without requiring other cosign command by simply adding a new flag named --attach or --load, etc.

Why is this needed:

Eliminating the second command to attach attestation to the image

Additional context:

• We're willing to do this 👆
• Cross-ref-issue: create an SBOM attestations using syft and attach them to container image using cosign goreleaser/goreleaser#2997

cc: @Dentrax

[Dentrax]

+1, this one very straightforward task that we can handle this in Run() function. Eventually UX will be:

- $ syft attest --key ./cosign.key <my-image> -o cyclonedx-json > ./my-image-sbom.att.json
- $ cosign attach attestation <my-image> --attestation ./my-image-sbom.att.json
vs.
+ $ syft attest --attach --key ./cosign.key <my-image> -o cyclonedx-json

[developer-guy]

Fixed by: #910

[developer-guy]