![Horizontal Uppercase Italics Logo.png]](https://kb.netrise.io/hs-fs/hubfs/Horizontal%20Uppercase%20Italics%20Logo.png?height=40&name=Horizontal%20Uppercase%20Italics%20Logo.png){kind=small}
Provenance Getting Started Guide
This guide provides an overview of the Provenance ecosystem, including the web interface, API integration, and core concepts for software supply chain intelligence.
Interface Options
- Web Interface: A visual dashboard for quick lookups and exploration. Access it at provenance.netrise.io.
- API: For automation and deep integration into security workflows. Documentation is available at provenance.netrise.io/docs.
- CLI: Optimized for terminal-based workflows, policy building and ci/cd integrations
Core Concept: Building PURLs
To query package information, the API requires Package URLs (PURLs) that adhere to the PURL Specification.
Required Fields for OS Packages
Operating system packages require six specific, case-insensitive fields:
|
Field |
Description |
Example |
|
type |
Package format |
deb, rpm, apk |
|
namespace |
Vendor or distribution source |
debian, ubuntu, centos |
|
name |
Name of the software package |
curl, openssl, nginx |
|
version |
Full version string |
7.68.0-1 |
|
arch |
CPU architecture |
amd64, x86_64, arm64 |
|
distro |
OS and version |
debian-12, ubuntu-22.04 |
Standard Format:
pkg:type/namespace/name@version?arch=arch&distro=distro
Note: If you do not have all six fields, use the /package/search endpoint with only the type, namespace, and name to identify available versions and architectures.
PyPi packages require three specific, case-insensitive fields:
|
Field |
Description |
Example |
|
type |
Package format |
pypi |
|
name |
Name of the Python package |
requests, numpy, django |
|
version |
Full version string |
2.31.0, 1.26.4, 5.1rc1 |
Key Features
Contributor Intelligence
Provenance tracks source code contributors by email or GitHub username.
- Security Analysis: Identify contributors with breached credentials or significant signing key changes.
- Commit Integrity: Review the ratio of signed to total commits across repositories.
- Affiliations: View associated organizations and geographic distributions.
Repository Health and Risk
Analyze repository URLs to evaluate project sustainability and security posture.
- OpenSSF Scorecard: Access automated security checks including branch protection and code review status.
- Contributor Risk: Monitor the "Bus Factor" (contributor concentration) and maintainer tenure.
- Activity Metrics: Track commit frequency, issue resolution rates, and release cadence.
Primary API Endpoints
|
Capability |
Method |
Endpoint |
|
Package Metadata |
GET |
/package?identifier=<PURL> |
|
Package Search |
GET |
/package/search?identifier=<PURL> |
|
Dependency Lookup |
GET |
/package/dependents?identifier=<PURL> |
|
Repository Health |
GET |
/repo/health?repo_url=<URL> |
|
Contributor Security |
GET |
/contributor/security?username=<username> |
Further Resources:
