Skip to main content

Frequently Asked Questions

Can you tell me more about Stacklok, the company behind Trusty?

Stacklok’s mission is to make it easier for developers to build more trustworthy software. Our free-to-use products, Trusty and Minder, help developers make safer dependency choices and help development teams and open source maintainers adopt safer development practices.

Our co-founders, Craig McLuckie and Luke Hinds, are veterans of the open source and software security communities. Craig McLuckie co-founded Kubernetes, an open source system for automating deployment, scaling, and management of containerized applications, and Luke Hinds founded Sigstore, an open source project that dramatically simplifies how developers sign and verify software artifacts.

Learn more about us at www.stacklok.com.

How is Trusty different from other tools that list information about open source packages?

Trusty takes a holistic approach to vetting open source package risk. It uses statistical analysis of factors like author and repo activity, along with validation of a package’s source of origin, to provide clear and reliable data about its trustworthiness.

While there are existing tools that provide information about open source packages, it’s still possible to get false information: for example, a malicious actor may use “starjacking” to display fake metadata and popularity information for a package. Trusty uses Sigstore to display proof of a package’s origin, and to verify that our data is authentic and mapped to the correct source.

In addition, Trusty integrates with Minder, so that development teams can create policies based on Trusty’s rating system. For example, you can create a policy to block pull requests that contain dependencies with a low Trusty Score.

How is Trusty’s rating system different from OpenSSF Scorecard?

Trusty is complementary to OpenSSF Scorecard. OpenSSF Scorecard is a tool that can help open source project owners and developers check whether an open source project meets security best practices. It runs a series of checks on practices like release signing; fuzzing; and Static Application Security Testing (SAST), assigning scores for each of these practices to help project owners understand areas in which they need to improve.

However, the OpenSSF Scorecard does not provide scoring and usage guidance based on package activity, author reputation, provenance, or signals of malicious activity like typosquatting and starjacking.

We highly recommend using OpenSSF Scorecard as another way to evaluate open source software security, and are thinking through ways to make this information openly available in Trusty for easier evaluation.

Will Trusty support other types of packages, like NuGet and Homebrew?

Yes. We started with Python, JavaScript, and Rust packages, and we followed up with support for Java and Go. We have plans to expand to additional languages. Refer to our roadmap to see what other features we’re building next.

Why can’t I see provenance information for Python or Rust packages?

We can only display provenance information for package ecosystems that support publishing packages with provenance, like npm (JavaScript). As other ecosystems begin to support this, we will surface this information in Trusty.

Why isn’t Trusty open source?

We aim to deliver Trusty as a free-to-use, SaaS-based solution, and have not yet decided whether elements of Trusty will be open source or not. Being as transparent as possible, we believe that the key ingredient to the success of an open source project is the interest and ultimately the ability of end users to build and run the project. In the case of Trusty, given the complexity of the data science going into the project, and the complexity and cost of establishing the machine learning environment, we are not (at this time) convinced that anyone would benefit from access to the core algorithms and source code.

Our ambition is also to bring together a community of individuals that will engage with and contribute to ranking and sharing feedback, and to do so, we need some centralization in place. If a community emerges and there are authentic ways to partner with end users or other community contributors in a way that benefits everyone, we are certainly open to reconsidering our position.

What happened to the Trusty extension for VS Code?

We have temporarily removed the Trusty extension for Visual Studio Code. The Trusty team has been hard at work adding new features and functionality, including new scoring dimensions and new language support. In order to allow us to focus on those core features, we have paused development of the extension for VS Code.

We still believe that it's incredibly helpful to bring information about package safety, and the Trusty Score of a package, to you directly in your IDE. This can help you spot safety issues with dependencies right as you're importing them — instead of uncovering issues after you've merged your code.

We look forward to updating the Trusty extension for VS Code, and making it available in the marketplace again in the future.

Why is the Trusty mascot a marmot?

Marmots look out for each other: when one marmot leaves its burrow to eat, another marmot will go with it to act as a lookout. If it sees a threat, it will whistle to alert other marmots in the area about possible danger. We want Trusty to be your trusted sidekick, looking out for potential risk with your dependencies.