Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

Provenance CLI queries the NetRise Provenance API to surface risk in your software dependencies — who wrote it, where it comes from, whether it has been compromised, and whether it meets your compliance policies. It works with individual packages, SBOMs, and OCI container images, and integrates into CI/CD pipelines via YAML-based policy enforcement with semantic exit codes.

Quick start

Get up and running in under 5 minutes — authenticate and run your first scan.

Installation

Install from pre-built binaries or build from source on Linux and macOS.

Command reference

Detailed documentation for every command, subcommand, and flag.

Policy engine

Write YAML policies to gate CI/CD on contributor risk, advisories, and repo health.

What provenance does

Query packages & repos

Look up any package by PURL to get provenance data, contributor security posture, repository health metrics, and advisory exposure.

Scan SBOMs

Parse CycloneDX JSON/XML, SPDX JSON/tag-value, or CSV SBOMs and query every package concurrently against the API.

Scan OCI containers

Extract an SBOM from any OCI container image using cosign or syft and analyze all packages in one pass.

Enforce policies in CI/CD

Define rules in YAML and get CI/CD-native exit codes — deny violations block pipelines automatically.

Get started

1

Install the CLI

Download a pre-built binary for your platform or install from source with Cargo.
# Linux x86_64 — download latest release
curl -sL https://github.com/NetRiseInc/provenance-cli/releases/latest/download/provenance-linux-x86_64-gnu.tar.gz | tar xz
sudo mv provenance /usr/local/bin/
See Installation for all platforms and options.
2

Set your API token

Export your Provenance API token as an environment variable.
export PROVENANCE_API_TOKEN=<your-token>
See Authentication for other configuration methods.
3

Query your first package

Look up a package by its PURL to see provenance data and risk indicators.
provenance query package 'pkg:deb/debian/curl@7.68.0-1?arch=amd64&distro=debian-10'
4

Scan an SBOM or enforce policy

Scan an SBOM file and optionally enforce YAML policies in your CI/CD pipeline.
# Scan an SBOM
provenance scan sbom sbom.cdx.json

# Check against policies (returns non-zero on violations)
provenance check sbom.cdx.json --policy policies/

Key capabilities

CapabilityDescription
Package provenanceContributor countries, emails, signing keys, breach status
Repository healthBus factor, scorecard score, commit recency, archived status
Advisory exposureDirect and indirect advisory relationships via NETR/CVE IDs
Geo-complianceOFAC-sanctioned country contributor detection
SBOM formatsCycloneDX JSON/XML, SPDX JSON/tag-value, CSV
Output formatsHuman tables, JSON, SARIF v2.1.0 for GitHub Code Scanning
GitHub ActionDrop-in action with SARIF upload support

Build docs developers (and LLMs) love

Get started for freeTalk to us