UseDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt
Use this file to discover all available pages before exploring further.
provenance query to interrogate individual entities in the supply chain: a specific package, the repository it comes from, a contributor’s security posture, or a published advisory.
All
query subcommands accept the global flags --format (human, json, sarif), --quiet, --no-color, --ascii, and -v/-vv. See Output formats for details.query package
Look up a package by its PURL (Package URL) to retrieve provenance data, dependency mapping, associated advisories, and contributor information. SynopsisFlags
Also fetch repository health metrics for the package’s source repository — bus factor, OpenSSF Scorecard score, commit recency, signed commit ratio, and more.
Search for all known versions and architectures of the package instead of doing an exact PURL lookup. Useful when you don’t know the exact version or distro qualifier.
Perform a reverse dependency lookup — find other packages that depend on this one.
Examples
query repo
Query a Git repository for the packages it produces, the advisories associated with it, and optionally its health metrics. SynopsisFlags
Also fetch repository health metrics — OpenSSF Scorecard, bus factor, commit activity, and contributor signing data.
Examples
query contributor
Look up a contributor by email address or GitHub username to see which repositories and packages they have contributed to. Synopsis@, it is treated as an email address; otherwise it is treated as a GitHub username.
Flags
Also fetch the contributor’s security posture: known data breach exposure and signing key information. Requires an email address (not a username).
Examples
--security only works with an email address. If you pass a username with --security, the CLI will emit a warning and skip the security fetch.