Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/stella/provenance

Generate SBOMs and third-party notices for JavaScript and Rust repositories
https://github.com/stella/provenance

Last synced: 2 months ago
JSON representation

Generate SBOMs and third-party notices for JavaScript and Rust repositories

Awesome Lists containing this project

README 

          


  Stella




# @stll/provenance



`provenance` is a CLI that generates SBOMs and third-party notices for JavaScript and Rust repositories, and checks that committed outputs stay current.



It is designed to be deterministic, repo-friendly, and boring to operate.



## Scope



The current baseline focuses on:



- JavaScript projects and workspaces

- Rust crates and workspaces

- Mixed JS/Rust repositories

- Optional container image SBOM generation via `syft`



The workflow is file-based:



- one config file

- deterministic generated outputs

- no direct CI pushes to `main`

- repo-friendly `generate`, `check`, and `diff` flows



## Boundaries



- `THIRD-PARTY-NOTICES` is a generated inventory of detected third-party

  components and declared license identifiers. It is not legal advice, and

  some licenses may require additional attribution text at distribution time.

- The safest canonical outputs come from a controlled CI or release environment,

  especially when your dependency graph includes platform-specific packages.

- `notice.internal_scopes` can be used to exclude first-party scoped packages

  from generated notices and repo SBOM component inventories.

- `output_dir` must point to a dedicated directory such as `provenance`; the

  tool refuses to write managed outputs directly into the repository root.



## Installation



Download a pinned binary from GitHub Releases for CI and automation.



Example for Linux x64:



```bash

curl -fsSL -o /tmp/provenance.tar.gz \

  https://github.com/stella/provenance/releases/download/v0.1.0/provenance-v0.1.0-x86_64-unknown-linux-gnu.tar.gz

tar -xzf /tmp/provenance.tar.gz -C /tmp

install /tmp/provenance-v0.1.0-x86_64-unknown-linux-gnu/provenance ~/.local/bin/provenance

```



To build or install from source instead:



```bash

cargo install --git https://github.com/stella/provenance --locked

```



For local development:



```bash

cargo install --path .

```



## Runtime prerequisites



The CLI itself is a single Rust binary. Analysis still depends on ecosystem tooling:



- `cdxgen` for JavaScript and Rust SBOM generation

  - supported discovery order: `cdxgen`, `bunx @cyclonedx/cdxgen`, `npx --yes @cyclonedx/cdxgen`

- `syft` for optional container SBOMs



You can also point the CLI at explicit binaries:



- `PROVENANCE_CDXGEN=/path/to/cdxgen`

- `PROVENANCE_SYFT=/path/to/syft`



## Quick Start



```bash

provenance init

provenance generate

```



`provenance init` discovers JavaScript and Rust projects under the current root

and writes `.provenance.yml`.



`provenance generate` writes deterministic compliance artifacts into the

configured output directory.



For ongoing verification:



```bash

provenance check

provenance diff

```



## Generated outputs



For a single-project repo:



- `provenance/sbom.cdx.json`

- `provenance/THIRD-PARTY-NOTICES.txt`



For multi-project repos:



- `provenance/projects//sbom.cdx.json`

- `provenance/projects//THIRD-PARTY-NOTICES.txt`



For each configured container:



- `provenance/containers//sbom.cdx.json`

- `provenance/containers//THIRD-PARTY-NOTICES.txt`



Repo-level outputs:



- `provenance/report.json`



When there is more than one project or any configured containers:



- `provenance/THIRD-PARTY-NOTICES.repo.txt`



## CI model



The recommended flow is:



1. run `provenance generate` when dependency inputs change

2. commit the generated outputs

3. run `provenance check` in CI



This repo follows that model directly in GitHub Actions.



## Development



```bash

cargo fmt -- --check

cargo clippy --all-targets --all-features -- -D warnings

cargo test

cargo test --test integration_real -- --ignored

cargo doc --no-deps

cargo deny check

cargo package --locked

```