Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NetRiseInc/provenance-cli/llms.txt

Use this file to discover all available pages before exploring further.

All commands require a Provenance API token. Set PROVENANCE_API_TOKEN before running any provenance command. See Authentication for details.
1

Install the CLI

Download the pre-built binary for your platform and move it onto your PATH.
# Linux x86_64 (glibc)
curl -sL https://github.com/NetRiseInc/provenance-cli/releases/latest/download/provenance-linux-x86_64-gnu.tar.gz | tar xz
sudo mv provenance /usr/local/bin/
See Installation for all supported platforms, the musl/aarch64 Linux variants, macOS (Intel and Apple Silicon), and instructions for building from source.
2

Set your API token

Export your Provenance API token as an environment variable. Every command reads this token automatically.
export PROVENANCE_API_TOKEN=<your-token>
You can also set the token in ~/.config/provenance/config.yaml or pass it per-command with --token. See Authentication.
3

Test connectivity

Verify that the CLI can reach the Provenance API and that your token is valid.
provenance config test
A successful response confirms the API URL and token are working correctly.
4

Query a package

Look up a package by its PURL (Package URL) to see provenance data, contributor information, and advisory exposure.
provenance query package 'pkg:deb/debian/curl@7.68.0-1?arch=amd64&distro=debian-10'
Add --health to also fetch repository health metrics such as bus factor, OpenSSF Scorecard score, and commit recency.
5

Scan an SBOM

Parse an SBOM file and query every package against the API concurrently. Format is auto-detected from the file content.
provenance scan sbom my-sbom.cdx.json
Supported formats: CycloneDX JSON/XML, SPDX JSON/tag-value, CSV. See scan sbom for all options.
6

Run a policy check

Evaluate an SBOM against one or more YAML policy files. Returns a non-zero exit code when violations are found, making it suitable for CI/CD pipelines.
provenance check sbom.json --policy examples/policies/
Exit code 1 means at least one deny rule matched. Exit code 2 means at least one review rule matched. Exit code 0 means all checks passed. See Policy engine and Exit codes.

Next steps

Installation

All platforms, build-from-source instructions, and shell completions.

Authentication

Config file, environment variables, and legacy token support.

Command reference

Every command, subcommand, and flag documented in detail.

Policy engine

Write YAML policies to gate CI/CD on supply chain risk indicators.

Build docs developers (and LLMs) love

Get started for freeTalk to us