The open-source ecosystem for software provenance, license & copyright compliance, and SBOMs.
This organization is the home of Provenant — open-source tooling for understanding what is really inside your software and its supply chain: the licenses, copyrights, package metadata, dependencies, and provenance behind everything you ship.
At its heart is a fast, Rust-based scanner, with the pieces built around it to run the same scans everywhere — on your machine, in CI, in containers, and through your package manager. Everything here follows one principle: results should be accurate, explainable, safely bounded, and fast enough to run anywhere.
- provenant — the core scanner: a CLI, an HTTP service, and an embeddable Rust library. Apache-2.0.
- provenant-action — the official GitHub Action for running Provenant scans in your CI workflows.
- homebrew-tap — the Homebrew tap for installing Provenant on macOS and Linux.
| Channel | Get started |
|---|---|
| Cargo | cargo install provenant-cli |
| Homebrew | brew install getprovenant/tap/provenant |
| Container | docker run -v "$PWD:/src" ghcr.io/getprovenant/provenant scan /src --json-pp - |
| GitHub Actions | uses: getprovenant/provenant-action@v1 |
| Binaries | Prebuilt archives on the releases page |
Start with the main repository for documentation, usage, and the output schema.