Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

Use provenance scan to bulk-query all packages in an SBOM file or a container image. All packages are queried concurrently — a progress bar is shown in interactive terminals when using the default human output format.
All scan subcommands accept the global flags --format (human, json, sarif), --quiet, --no-color, --ascii, and -v/-vv. See Output formats for details.
The CLI queries packages concurrently (up to 20 in-flight requests). The global --concurrency flag and the concurrency config file key control the underlying HTTP-level throttle (default: 10). For large SBOMs, tune these values to avoid rate limiting.

scan sbom

Parse an SBOM file and query every package against the API concurrently. Format is auto-detected from file content — you do not need to specify it. Synopsis 
provenance scan sbom [FILE] [OPTIONS]

Supported formats

FormatExtensionsDetection
CycloneDX JSON.cdx.json, .jsonbomFormat field
CycloneDX XML.cdx.xml, .xml<bom> root element
SPDX JSON.spdx.json, .jsonspdxVersion field
SPDX tag-value.spdx, .spdx.tvSPDXVersion: line
CSV.csvHeader row with purl or type,namespace,name,version

Flags

--stdin
boolean
Read the SBOM from standard input instead of a file. Useful for piping output from other tools such as syft directly into the scanner without writing an intermediate file.
--health
boolean
Also fetch repository health metrics for every unique source repository found across all scanned packages. Health results are shown in verbose mode (-v).
--policy
string
Path to a policy YAML file to evaluate all scanned packages against. Can be specified multiple times to apply several policies in a single scan.
--policy-dir
string
Path to a directory of policy YAML files (.yaml or .yml). All policy files in the directory are loaded and evaluated together.
--timeout
number
Per-request timeout in seconds. Overrides the global --timeout value for this scan only.

Examples

provenance scan sbom my-sbom.cdx.json

Inline policy enforcement

Apply policy rules during a scan to gate on violations without running a separate provenance check step. 
# Enforce a single policy file
provenance scan sbom sbom.json --policy policy.yaml

# Enforce all policies in a directory
provenance scan sbom sbom.json --policy-dir policies/
When policies are provided, the command returns the same exit codes as provenance check. See Exit codes.

scan oci

Extract an SBOM from an OCI container image and scan all packages concurrently. The CLI tries cosign first to retrieve an attached SBOM; if that fails or cosign is unavailable, it falls back to generating one with syft. Synopsis 
provenance scan oci <IMAGE> [OPTIONS]
At least one of cosign or syft must be installed and available on your PATH. If neither is found, the command fails with installation instructions for both tools.

Flags

--skip-verify
boolean
Skip cosign signature verification when downloading the attached SBOM. Use this for unsigned images where you still want to attempt a cosign SBOM download.
--timeout
number
Per-request timeout in seconds for API calls made during the scan.

Examples

provenance scan oci debian:bookworm-slim
To install the required tools:
# cosign
brew install cosign              # macOS
# or download from https://github.com/sigstore/cosign/releases

# syft
brew install syft                # macOS
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Build docs developers (and LLMs) love

Get started for freeTalk to us