Skip to main content


About this roadmap

This roadmap should serve as a reference point for Trusty users to understand where the product is heading. The roadmap is where you can learn about what features we're working on, what stage they're in, and when we expect to bring them to you. Priorities and requirements may change based on community feedback, roadblocks encountered, community contributions, and other factors.

How to contribute

Have any questions or comments about items on the Trusty roadmap? Share your feedback via GitHub discussions or join our Community Discord Server.

Last updated: April 2024

In progress

  • Include additional metadata on packages: Provide more information on packages including known vulnerabilities from OSV and license information.
  • Show dependencies and dependents of package: List the dependencies included in a package, and which other packages use the package as a dependency (with links to Trusty detailed pages).
  • Manual annotations: Enable Stacklok to correct scores, and enable users to up/downvote packages and submit comments and provenance info.
  • Track package versions separately: Create separate Trusty detailed pages and scores for each version of a package.
  • Enhanced supply chain threat detection: Increased capabilities to discover malicious or fraudulent capabilities within Packages ingested by Trusty.


  • New scoring dimension: Transitive dependencies: Introduce a new scoring dimension that incorporates factors such as the quality of a package’s dependencies and which other packages use the package as a dependency.
  • New scoring dimension: Risk flags: Introduce a new scoring dimension that incorporates factors such as the depth of the package description and the frequency of releases.
  • New scoring dimension: Popularity/community: Introduce a new scoring dimension that incorporates factors such as community ratings.
  • Trusty GitHub Action: Create a GitHub Action for Trusty and publish it to the marketplace.
  • Anomaly detection: Implement anomaly detection techniques to monitor for illegitimate activity such as stars, forks, and watchers created by bot accounts.

Future considerations

  • Expand support to additional languages: Add additional packages based on an expanded set of languages (e.g., NuGet, Homebrew).
  • Additional package form factors: Expand Trusty to support additional package form factors such as machine learning models and container images.
  • Show trend graph of scores over time: Enable users to understand how a package’s score has changed over time.
  • Receive emails when favorite package scores change: Users are able to set up email alerts based on Trusty score trends for favorite packages.
  • Refine search parameters and package recommendations: Enable users to refine search criteria based on package metadata, such as number of GitHub stars.
  • User profile page and preferences: Enable user to create their own Trusty profile page and set user preferences.