Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

Provenance can output results in SARIF v2.1.0 format, which integrates directly with GitHub Code Scanning to display supply chain findings in the Security tab.

Using the GitHub Action

The easiest way to upload SARIF results is via the first-party action:
.github/workflows/supply-chain.yml
- name: Generate SBOM
  run: syft your-image:latest -o cyclonedx-json > sbom.cdx.json

- name: Provenance Supply Chain Check
  id: provenance
  uses: NetRiseInc/provenance-cli@v0.1.0
  with:
    sbom: sbom.cdx.json
    policy: policies/
    format: sarif
    api-token: ${{ secrets.PROVENANCE_API_TOKEN }}
  continue-on-error: true

- name: Upload SARIF to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: ${{ steps.provenance.outputs.sarif-file }}
continue-on-error: true is required on the provenance step so that the upload step runs even when violations are found (exit code 1 or 2).

Using the CLI directly

Generate SARIF output by passing --format sarif and redirect to a file:
.github/workflows/supply-chain.yml
- name: Install provenance CLI
  run: |
    curl -sL https://github.com/NetRiseInc/provenance-cli/releases/latest/download/provenance-linux-x86_64-gnu.tar.gz | tar xz
    sudo mv provenance /usr/local/bin/

- name: Generate SARIF
  run: provenance check sbom.json --policy policies/ --format sarif > results.sarif
  env:
    PROVENANCE_API_TOKEN: ${{ secrets.PROVENANCE_API_TOKEN }}
  continue-on-error: true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

What appears in Code Scanning

Each policy deny or review finding appears as an alert in the GitHub Security tab with:
  • Rule ID — the policy rule name (e.g., deny-north-korea-contributors)
  • Message — the rule’s message field from your policy YAML
  • Severity — mapped from action: deny → error, review → warning, warn → note
  • Location — the SBOM file or package PURL that triggered the finding

Generating SARIF locally

You can also generate and inspect SARIF output locally before uploading: 
provenance check sbom.json --policy policies/ --format sarif > results.sarif
cat results.sarif | jq '.runs[0].results | length'

GitHub Actions

Full GitHub Actions integration guide.

Exit codes

Understand exit codes for CI/CD gating.

Build docs developers (and LLMs) love

Get started for freeTalk to us