From ea77349343e9c3d588952290aa897ec5b2d17d39 Mon Sep 17 00:00:00 2001
From: Manfred Moser <manfred@simpligility.ca>
Date: Mon, 20 Oct 2025 17:43:49 -0700
Subject: [PATCH] Add info about SBOM and SLSA files for JavaScript libraries

---
 .../libraries/javascript/overview.md           | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/content/chainguard/libraries/javascript/overview.md b/content/chainguard/libraries/javascript/overview.md
index 88421f6e28..15a3805b8c 100644
--- a/content/chainguard/libraries/javascript/overview.md
+++ b/content/chainguard/libraries/javascript/overview.md
@@ -101,3 +101,21 @@ Alternatively, you can use the token for direct access from a build tool as
 discussed in [Build
 configuration](/chainguard/libraries/javascript/build-configuration/).
 
+## SBOM and attestation files
+
+Chainguard Libraries for JavaScript include files that contain software bill of
+material (SBOM) information. Additional files attest details about build
+infrastructure with  the [Supply-chain Levels for Software Artifacts
+(SLSA)](https://slsa.dev/) provenance information.
+
+The related files for Chainguard Libraries for JavaScript are located separately
+from the registry and the packages themselves.
+
+More tbd
+
+From FAQ
+
+* SBOMs are available in SPDX format in the `sbom.spdx.json` file.
+* Provenance is available in the files: `putument.build.json`,
+  `putument.publish.json`, `build.provenance.json`, `provenance.json` ,
+  `rebuilder.provenance.json`, and  `source.provenance.json`.