Is your feature request related to a problem? Please describe.
Recent zero-day vulnerabilities and the resultant WH executive order regarding cybersecurity are making sbom generation an increasingly important part of building/delivering a secure software product. There are a few different standards being created regarding where to publish an sbom for your product, making a check though scorecard more feasible.

Some of the standards we're seeing:

• Project release artifacts (github/gitlab)
• security insights 1.0.0 spec
• sbom-everywhere naming and directory conventions

Describe the solution you'd like
Adding a check for the mere existence of a published sbom in any of the standard locations listed above would be a great initial step to sbom support. Gives room to grow into more sophisticated checks surrounding sbom content/quality in the future.

There have been community members interested in the implementation and contribution of this feature, namely myself and Daniel Appelquist.

Additional context
Potential (-ly forgotten) duplicate: #1476
Related to: #2605