Run Provenant — the Rust,
ScanCode-compatible license, copyright, and SBOM scanner — in a GitHub Actions
workflow. This action wraps the published container image
ghcr.io/getprovenant/provenant
so a scan needs no local toolchain.
Minimal workflow — scan the checked-out repository and stream a pretty-printed JSON report to the workflow log:
name: License scan
on: [push, pull_request]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: getprovenant/provenant-action@v1Write a report file and scan specific paths with a custom detection set:
- uses: getprovenant/provenant-action@v1
with:
paths: src testdata
output-format: json
output-file: provenant-results.json
args: --license --package --copyright --info
- uses: actions/upload-artifact@v7
with:
name: provenant-results
path: provenant-results.jsonFor fast pull-request checks, scan just the files that changed instead of the
whole tree. Produce a changed-file list with git diff and pass it as
paths-file:
name: Changed-file license scan
on: pull_request
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0
- name: List changed files
run: git diff --name-only --diff-filter=d "origin/${{ github.base_ref }}...HEAD" > changed.txt
- uses: getprovenant/provenant-action@v1
with:
paths-file: changed.txt
args: --license --package --copyrightProvide a license-policy file
that marks licenses with a compliance_alert, then gate on it. The job fails
when a matching license is found, and the SARIF file surfaces the violations as
pull-request and code-scanning alerts:
permissions:
contents: read
security-events: write # to upload SARIF
jobs:
license-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: getprovenant/provenant-action@v1
with:
license-policy: .github/license-policy.yml
fail-on: error
sarif-file: provenant.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always() # upload findings even when the gate fails the job
with:
sarif_file: provenant.sarifAny provenant scan flag can be passed through args — for example
--ignore "node_modules/*" to skip noise or --incremental with a cached
--cache-dir to reuse work across runs. See the CLI Guide
for the full set of workflows and flags.
| Input | Default | Description |
|---|---|---|
paths |
. |
Space-separated files or directories to scan, relative to the repository root. Defaults to the whole checkout. |
output-format |
json-pp |
Output format. One of json-pp, json, json-lines, yaml, cyclonedx, cyclonedx-xml, spdx-tv, spdx-rdf, debian, html. Maps to the matching provenant scan --<format> flag. |
output-file |
- |
Where to write the report. - streams to stdout (the workflow log); any other value is a path written inside the workspace. |
args |
--license --package |
Extra raw arguments appended verbatim to provenant scan. Detections are opt-in — this is where you enable them (--license, --package, --copyright, --info, --email, --url, …). |
paths-file |
(empty) | Optional file listing exact files/directories to scan (one per line), relative to a single scan root in paths. Ideal for pull-request CI via git diff --name-only. When set, paths must stay a single root (the default .). |
license-policy |
(empty) | Optional path to a YAML license-policy file. Enables policy evaluation; required by fail-on and by SARIF output. |
fail-on |
(empty) | Fail the job (exit 3) when a file matches a policy whose compliance_alert is at or above this level: error or warning. Requires license-policy. |
sarif-file |
(empty) | Also write SARIF 2.1.0 of policy violations to this path, for github/codeql-action/upload-sarif. Meaningful only with license-policy. |
Under the hood the action runs:
provenant scan <paths> [--paths-file <paths-file>] [--license-policy <file>] \
[--fail-on <level>] [--sarif <sarif-file>] --<output-format> <output-file> <args>This action does not set step outputs. Retrieve results by pointing
output-file at a path and uploading it with actions/upload-artifact, or by
reading the report streamed to the workflow log when output-file is -.
The action always runs the latest published Provenant release: its
Dockerfile is FROM ghcr.io/getprovenant/provenant:latest, rebuilt on each run.
So the wrapped scanner advances automatically with every Provenant release — there is no per-release
update to this action.
You pin the action's own behavior by git ref:
- A major version tag (such as
@v1) — the best default; picks up action fixes within that major. - A full commit SHA — an exact, immutable pin of the action.
Because the action tracks :latest, @vN does not pin a fixed scanner version. If you need a
reproducible scanner version, pin the container directly instead (docker run ghcr.io/getprovenant/provenant:<version> scan …).
The upstream image is distroless (no shell) and its entrypoint is the
provenant binary itself. To map the action inputs onto a provenant scan
invocation robustly, this action builds a thin wrapper image that FROMs
ghcr.io/getprovenant/provenant and adds a statically linked busybox shell so
entrypoint.sh can assemble the command line. See the inline
comments in action.yml and Dockerfile for
details.
Licensed under the Apache License 2.0, matching the main Provenant project.