Build safer software.

Stacklok helps developers and open source communities keep their software secure and choose safer dependencies.

Trusty by Stacklok is a free-to-use service that uses statistical analysis of author and repo activity, along with a package’s source of origin, to provide an assessment about its trustworthiness.

Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

Activity scoring

Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Matt Klein

Founder, Envoy proxy

“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."

Keep your software secure

Minder is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what they've built is secure.

Repo configuration and security

Simplify configuration and management of security settings and policies across repos.

Dependency and license management

Manage your dependency security posture by enforcing controls and helping developers make better choices.

Artifact signing and verification

Continuously verify that packages are signed to ensure they're tamper-proof, using the open source project Sigstore.

Daniel Finneran


"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."

Stacklok logo
© 2024 Stacklok