Skip to main content

Trusty by Stacklok Logo

What is Trusty?

Trusty by Stacklok is a free-to-use service that helps developers assess dependency risk. Trusty uses statistical analysis of dimensions such as author and repo activity, along with a package’s source of origin, to provide an assessment about its trustworthiness. Trusty is accessible via a Visual Studio Code plug-in and a browsable web interface.

While the CVE remains an important tool in driving dependency security considerations, the viability of a dependency is driven by other key factors based on the attributes and activities of the community that produces the technology. Trusty provides a score for packages that takes into account these factors, in order to help developers looking to consume an open source package make an informed decision about that package. Trusty also uses Sigstore to display proof of a package’s origin, and to verify that our data is authentic and mapped to the correct source.

Features

  • Package scoring: Trusty provides an overall Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.
  • Package provenance: Trusty displays provenance information for packages. Trusty displays two types of provenance information. When packages have been signed and built using Sigstore, Trusty will display Sigstore provenance information. When a package has not been signed with Sigstore, Trusty will attempt to establish a link from a package to its source repo by matching Git tags and releases to published package versions (build provenance).
  • Malicious activity warnings: Trusty uses external sources to flag known malicious packages. Additionally, Trusty looks for and flags signs of malicious behavior, such as “typosquatting” (similarly named packages) and “starjacking” (shared repositories).
  • Package recommendations: Trusty uses generative AI to display a list of related packages and their scores.
  • Package metadata: Each package listing includes metadata for evaluation purposes, such as author bio links, wiki links, and GitHub stars.
  • Browsable web interface: Trusty provides a detailed package for each package, as well as a search functionality to find packages.

Status

Experimental stage

The public roadmap for Trusty is available here