What is Trusty?
Trusty by Stacklok is a free-to-use service that helps developers assess dependency risk. Trusty uses statistical analysis of dimensions such as author and repo activity, along with a package’s source of origin, to provide an assessment about its trustworthiness. Trusty is accessible via a Visual Studio Code plug-in and a browsable web interface.
While the CVE remains an important tool in driving dependency security considerations, the viability of a dependency is driven by other key factors based on the attributes and activities of the community that produces the technology. Trusty provides a score for packages that takes into account these factors, in order to help developers looking to consume an open source package make an informed decision about that package. Trusty also uses Sigstore to display proof of a package’s origin, and to verify that our data is authentic and mapped to the correct source.
- Package scoring: Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.
- Package provenance: Trusty displays provenance information for packages when artifacts have been signed using Sigstore, to validate the package is from a trusted source.
- Malicious activity warnings: Trusty looks for and flags signs of malicious behavior, such as “typosquatting” (similarly named packages) and “starjacking” (shared repositories).
- Package recommendations: Trusty uses generative AI to display a list of related packages and their scores.
- Package metadata: Each package listing includes metadata for evaluation purposes, such as author bio links, wiki links, and GitHub stars.
- IDE support: Trusty for VS Code screens dependencies and alerts to packages with low scores at time of package import.
- Browsable web interface: Trusty provides a detailed package for each package, as well as a search functionality to find packages.
The public roadmap for Trusty is available here