Frequently asked questions
Can you tell me more about Stacklok, the company behind Trusty?
Stacklok's mission is to make it easier for developers to build trustworthy software. Our free-to-use products, Trusty and Minder, help developers make safer dependency choices and help development teams and open source maintainers adopt safer development practices.
Our co-founders, Craig McLuckie and Luke Hinds, are veterans of the open source and software security communities. Craig McLuckie co-founded Kubernetes, an open source system for automating deployment, scaling, and management of containerized applications. Luke Hinds founded Sigstore, an open source project that dramatically simplifies how developers sign and verify software artifacts.
Learn more about us at www.stacklok.com.
How is Trusty different from other tools that list information about open source packages?
Trusty takes a holistic approach to assessing open source package risk. It uses statistical analysis of factors like contributor and repo activity and validation of a package's source of origin to provide clear and reliable data about its trustworthiness.
While there are existing tools that provide information about open source packages, it's still possible to get false information. For example, a malicious actor may use "starjacking" to display fake metadata and popularity information for a package. Trusty uses Sigstore to display proof of a package's origin and to verify that our data is authentic and mapped to the correct source.
In addition, Trusty integrates with Minder, so development teams can create policies based on Trusty's risk signals. For example, you can create a policy to block pull requests that contain dependencies with vulnerabilities or low activity health scores.
How is Trusty's rating system different from OpenSSF Scorecard?
Trusty is complementary to OpenSSF Scorecard. OpenSSF Scorecard is a tool that helps open source project owners and developers check whether their project meets security best practices. It runs a series of checks on practices like release signing; fuzzing; and Static Application Security Testing (SAST), assigning scores for each of these practices to help project owners understand areas in which they need to improve.
However, the OpenSSF Scorecard does not provide scoring and usage guidance based on package activity, contributor reputation, provenance, or signals of malicious activity like typosquatting and starjacking.
We strongly recommend using OpenSSF Scorecard as another way to evaluate open source software security, and are evaluating ways to make this information openly available in Trusty for easier evaluation.
Will Trusty support other types of packages, like NuGet and Homebrew?
Yes. We started with Python, JavaScript, and Rust packages, and followed up with support for Java and Go. We have plans to expand to additional languages.
Why can't I see provenance information for Python or Rust packages?
We can only display provenance information for package ecosystems that support publishing packages with provenance, like npm (JavaScript). As other ecosystems begin to support this, we will surface this information in Trusty.
Why isn't Trusty open source?
We aim to deliver Trusty as a free-to-use, SaaS-based solution and have not yet decided whether elements of Trusty will be open source. Being as transparent as possible, we believe that the key ingredient to the success of an open source project is the interest and ultimately the ability of end users to build and run the project. In the case of Trusty, given the complexity of the data science going into the project, and the complexity and cost of establishing the machine learning environment, we are not (at this time) convinced that anyone would benefit from access to the core algorithms and source code.
Our ambition is also to bring together a community of individuals who will engage with and contribute to ranking and sharing feedback. To do so, we need some centralization in place. If a community emerges and there are authentic ways to partner with end users or other community contributors in a way that benefits everyone, we are certainly open to reconsidering our position.
Why is the Trusty mascot a marmot?
Marmots look out for each other: when one marmot leaves its burrow to eat, another marmot goes with it to act as a lookout. If it sees a threat, it whistles to alert other marmots in the area about possible danger. We want Trusty to be your trusted sidekick, looking out for potential risks with your dependencies.