Trusty by Stacklok is a service that helps developers and security teams assess open source package and dependency risk. Trusty uses security signals such as proof of origin (or provenance), known vulnerabilities, and activity to provide an assessment of a package's health and trustworthiness. Trusty is accessible via an interactive web interface and a REST API.
While the CVE remains an important tool in driving dependency security considerations, the viability of a dependency is driven by other key factors based on the attributes and activities of the community that produces the technology. Trusty highlights risks for packages taking these factors into account, to help developers consuming an open source package make an informed decision.
Trusty supports multiple open source package ecosystems:
- Go – golang.org
- JavaScript/TypeScript – npm
- Python – PyPI
- Rust – crates.io
- Java – Maven Central