Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

provenance check is the primary CI/CD integration point. It evaluates a single package or all packages in an SBOM against one or more YAML policy files and returns a semantic exit code indicating whether the target passes, requires review, or is denied by policy. All packages are evaluated concurrently.
provenance check accepts the global flags --format (human, json, sarif), --quiet, --no-color, --ascii, and -v/-vv. Use --format sarif to produce SARIF v2.1.0 output for GitHub Code Scanning and other SARIF-compatible tools.

Synopsis

provenance check <TARGET> [OPTIONS]
The TARGET argument is either:
  • A PURL starting with pkg: — evaluates a single package.
  • A path to an SBOM file — auto-detected if the path exists on disk. All packages in the SBOM are evaluated.

Flags

--policy
string
Path to a policy YAML file. Can be specified multiple times to apply several policies together. All rules from all specified files are combined and evaluated as a single policy set.
--policy-dir
string
Path to a directory of policy YAML files (.yaml or .yml). All files in the directory are loaded. Can be used alongside --policy.

Exit codes

CodeVerdictMeaning
0PASSAll checks passed (only warn or info findings, or no findings).
1DENYAt least one deny rule matched.
2REVIEWNo deny findings, but at least one review rule matched.
3ERRORRuntime error — network failure, authentication error, parse error, etc.
allow rules are evaluated first. If a package matches an allow rule, it is exempted from all deny, review, and warn rules in the same policy set. This lets you carve out known-good packages from broad rules.

Examples

Check a single package against a policy file 
provenance check 'pkg:deb/debian/xz-utils@5.0.0-2?arch=amd64&distro=debian-6' \
  --policy examples/policies/supply-chain-compromise.yaml
Check an SBOM against multiple policy files 
provenance check sbom.json --policy ofac.yaml --policy repo-health.yaml
Check an SBOM against all policies in a directory 
provenance check sbom.json --policy-dir examples/policies/
Generate SARIF output for GitHub Code Scanning 
provenance check sbom.json --policy policies/ --format sarif > results.sarif
CI/CD one-liner with exit code handling 
provenance check sbom.json --policy policies/ --quiet
case $? in
  0) echo "All checks passed" ;;
  1) echo "DENIED -- policy violation" && exit 1 ;;
  2) echo "Review required" ;;
  3) echo "Scan error" && exit 1 ;;
esac

Policy engine

Write YAML policy files to define rules, conditions, and actions.

Exit codes

Full reference for exit code semantics and CI/CD integration patterns.

Build docs developers (and LLMs) love

Get started for freeTalk to us