Conditions are the matching criteria inside a rule’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt
Use this file to discover all available pages before exploring further.
match block. Each condition maps to a field name and a value. All 15 conditions are listed below.
Quick reference
| Condition | Value type | Matches when… |
|---|---|---|
advisory_relationship | "direct" or "indirect" | Package has an advisory with this relationship |
advisory_names | list of glob patterns | Advisory name matches any listed pattern |
has_breached_credentials | true | Any contributor has breached credentials |
bus_factor_below | number | Repository bus factor is below threshold |
signed_commit_ratio_below | float | Signed commit ratio is below threshold |
contributor_countries | list of ISO country codes | Any contributor is from a listed country |
repo_archived | true | Repository is archived |
repo_deprecated | true | Package or repository is deprecated |
scorecard_score_below | float | OpenSSF Scorecard score is below threshold |
no_recent_commits_days | number | No commits in the last N days |
license_spdx | list of SPDX identifiers | License matches any listed identifier |
key_change_detected | true | Signing key change detected for any contributor |
contributor_emails | list of glob patterns | Any contributor email matches a pattern |
repo_urls | list of glob patterns | Repository URL matches any pattern |
package_purl | glob string | Package PURL matches glob |
Multiple conditions in a single rule are AND-joined — all must match for the rule to trigger. For OR logic, write separate rules with the same action.
Advisory conditions
Matches when the package has an advisory with the specified relationship. Accepted values are
"direct" (the package itself is affected) or "indirect" (an upstream dependency is affected).Matches when any advisory on the package has a name matching at least one glob pattern in the list. Supports
* wildcards.Contributor security conditions
Matches when one or more contributors associated with the package’s repository have credentials found in known data breaches. Set to
true to flag affected packages.The engine checks the repository health API’s contributors_with_breached_creds count first, then falls back to individual contributor security data.Matches when a signing key change has been detected for any contributor. A key change can indicate legitimate key rotation or account compromise. Set to
true to flag packages where this occurred.This condition fetches contributor security data for a sample of up to 10 contributors and short-circuits on the first match.Matches when the ratio of signed commits to total commits is below the specified threshold. A value of
0.5 means fewer than 50% of commits are signed.This condition fetches contributor security data for a sample of up to 15 contributors.Matches when any contributor is from one of the listed countries. Values are ISO 3166-1 alpha-2 country codes (e.g.
CU, KP, IR). The engine also accepts full country names and maps them to codes automatically.Matches when any contributor’s email address matches at least one glob pattern. Supports
* wildcards. Checks the contributors[].email field from the package’s repository details.Repository health conditions
Matches when the repository’s bus factor — the number of contributors whose absence would critically impact the project — is below the specified threshold. A bus factor of
1 means a single person controls the project.Matches when the repository has been archived on its hosting platform. Archived repositories receive no further updates or security patches. Set to
true to flag archived repos.Matches when the package or repository has been explicitly marked as deprecated. Set to
true to flag deprecated packages.Matches when the repository’s OpenSSF Scorecard score is below the specified threshold. Scorecard scores range from 0 to 10.
Matches when no commits have been made to the repository in the last N days. Use this to flag stale or abandoned projects.
Package and license conditions
Matches when the package or repository license matches any of the listed SPDX identifiers. Use
NONE to match packages with no license assertion (NOASSERTION or empty).Matches when the package’s repository URL matches at least one glob pattern. Use this to block or flag packages from specific organizations or hosting providers.
Matches when the package’s PURL (Package URL) matches the specified glob pattern. This condition is most commonly used with
allow rules to exempt specific packages from other rules.Data requirements
Conditions require different API data. The engine fetches only what is needed.Conditions requiring repository health data
Conditions requiring repository health data
These conditions cause the engine to call the repo health API for the package’s repository URL. Results are cached per URL within a single invocation.
bus_factor_belowrepo_archivedrepo_deprecatedscorecard_score_belowno_recent_commits_dayshas_breached_credentialscontributor_countrieslicense_spdx
Conditions requiring contributor security data
Conditions requiring contributor security data
These conditions cause the engine to fetch security data for a sample of contributors from the package’s repository.
key_change_detected— evaluates contributor security data for signing key changessigned_commit_ratio_below— evaluates signed commit ratio from contributor security data; falls back to per-contributor data in the package response
Conditions using only package data
Conditions using only package data
These conditions are evaluated from the standard package API response, which is always fetched.
advisory_relationshipadvisory_namescontributor_emailsrepo_urlspackage_purl