Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

Provenance ships a first-party GitHub Action that downloads the CLI and runs a supply chain check in your workflow.

Using the GitHub Action

.github/workflows/supply-chain.yml
- name: Generate SBOM
  run: syft your-image:latest -o cyclonedx-json > sbom.cdx.json

- name: Provenance Supply Chain Check
  uses: NetRiseInc/provenance-cli@v0.1.0
  with:
    sbom: sbom.cdx.json
    policy: policies/
    api-token: ${{ secrets.PROVENANCE_API_TOKEN }}

Action inputs

api-token
string
required
Your Provenance API token. Use a GitHub Actions secret: ${{ secrets.PROVENANCE_API_TOKEN }}.
sbom
string
Path to the SBOM file to check. Either sbom or package is required.
package
string
Package URL (PURL) to check — alternative to sbom.
policy
string
Path to a policy YAML file or directory of policy files.
format
string
default:"human"
Output format: human, json, or sarif.
version
string
default:"latest"
CLI version to download (e.g., v0.1.0). Defaults to the latest release.
quiet
boolean
default:"false"
Show only summary output.

Action outputs

OutputDescription
exit-codeExit code from provenance check (0=pass, 1=deny, 2=review, 3=error)
sarif-filePath to the SARIF output file (when format=sarif)
json-filePath to the JSON output file (when format=json)

Running the CLI directly

If you prefer not to use the action, install the CLI manually:
.github/workflows/supply-chain.yml
- name: Install provenance CLI
  run: |
    curl -sL https://github.com/NetRiseInc/provenance-cli/releases/latest/download/provenance-linux-x86_64-gnu.tar.gz | tar xz
    sudo mv provenance /usr/local/bin/

- name: Scan SBOM
  run: provenance check sbom.json --policy policies/ --quiet
  env:
    PROVENANCE_API_TOKEN: ${{ secrets.PROVENANCE_API_TOKEN }}

Checking a single package

- name: Check package
  uses: NetRiseInc/provenance-cli@v0.1.0
  with:
    package: 'pkg:deb/debian/xz-utils@5.0.0-2?arch=amd64&distro=debian-6'
    policy: policies/supply-chain-compromise.yaml
    api-token: ${{ secrets.PROVENANCE_API_TOKEN }}

Exit code handling

- name: Check SBOM
  id: check
  uses: NetRiseInc/provenance-cli@v0.1.0
  with:
    sbom: sbom.cdx.json
    policy: policies/
    api-token: ${{ secrets.PROVENANCE_API_TOKEN }}
  continue-on-error: true

- name: Handle result
  run: |
    case "${{ steps.check.outputs.exit-code }}" in
      0) echo "All checks passed" ;;
      1) echo "DENIED — policy violation" && exit 1 ;;
      2) echo "Review required" ;;
      3) echo "Scan error" && exit 1 ;;
    esac

SARIF upload

Upload SARIF findings to GitHub Code Scanning.

Exit codes

Full reference for all exit codes.

Build docs developers (and LLMs) love

Get started for freeTalk to us