Exit codes

The provenance check and provenance scan sbom commands return semantic exit codes that map directly to policy outcomes. This makes it easy to gate CI/CD pipelines without parsing output.

Exit code reference

Code	Name	When it occurs
`0`	PASS	All checks passed — only `warn` and `info` findings (or no findings)
`1`	DENY	At least one `deny` rule was triggered
`2`	REVIEW	No `deny` findings, but at least one `review` rule was triggered
`3`	ERROR	Runtime error — network failure, authentication error, SBOM parse error, etc.

Action precedence

When multiple findings exist, the highest-severity exit code wins:

If any deny → exit 1 (even if there are also review findings)
If only review → exit 2
If only warn / info / allow → exit 0

Using exit codes in shell scripts

provenance check sbom.json --policy policies/ --quiet
case $? in
  0) echo "All checks passed" ;;
  1) echo "DENIED — policy violation" && exit 1 ;;
  2) echo "Review required" ;;
  3) echo "Scan error" && exit 1 ;;
esac

Using exit codes in GitHub Actions

- name: Check SBOM
  id: check
  run: |
    provenance check sbom.json --policy policies/ --quiet
    echo "exit-code=$?" >> "$GITHUB_OUTPUT"
  env:
    PROVENANCE_API_TOKEN: ${{ secrets.PROVENANCE_API_TOKEN }}
  continue-on-error: true

- name: Fail on deny
  if: steps.check.outputs.exit-code == '1'
  run: exit 1

- name: Warn on review
  if: steps.check.outputs.exit-code == '2'
  run: echo "::warning::Supply chain review required"

Treating review as a hard failure

If you want review findings to also block the pipeline, check for both codes:

provenance check sbom.json --policy policies/
EXIT=$?
if [ "$EXIT" -eq 1 ] || [ "$EXIT" -eq 2 ]; then
  echo "Policy violation — blocking pipeline"
  exit 1
fi

Policy action mapping

Policy action	Exit code contributed
`deny`	1
`review`	2
`warn`	0
`info`	0
`allow`	0 (exempts package from deny/review/warn)

allow rules are evaluated first. A package that matches an allow rule is fully exempted — it will not contribute a non-zero exit code even if it also matches deny or review rules.

Policy engine

Learn how to write policy rules with deny, review, and allow actions.

GitHub Actions

Integrate exit codes into GitHub Actions workflows.

Get Started

Command Reference

Policy Engine

Configuration

CI/CD Integration

Exit code reference

Action precedence

Using exit codes in shell scripts

Using exit codes in GitHub Actions

Treating review as a hard failure

Policy action mapping

Policy engine

GitHub Actions

Build docs developers (and LLMs) love

Get Started

Command Reference

Policy Engine

Configuration

CI/CD Integration

Documentation Index

​Exit code reference

​Action precedence

​Using exit codes in shell scripts

​Using exit codes in GitHub Actions

​Treating review as a hard failure

​Policy action mapping

Policy engine

GitHub Actions

Build docs developers (and LLMs) love

Exit code reference

Action precedence

Using exit codes in shell scripts

Using exit codes in GitHub Actions

Treating review as a hard failure

Policy action mapping