How Trusty Works
Trusty by Stacklok recognizes that while the CVE remains an important tool in driving security considerations, it is not the only practical way to make sense of the viability of a piece of software.
While still in experimental stage, Trusty is exploring ways to look at and reproduce the approach that many developers take when assessing the viability of a technology. It looks at the attributes and activities of the community that produces the technology, and then for signals that might cause concern about a package.
Trusty introduces the concept of Activity Scores for packages, and then attempts to seek out other potential patterns of exploitation in the community, and draw awareness of developers looking to consume an Open Source package.