Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Stacklok helps developers and open source communities keep their software secure and choose safer dependencies.
Trusty by Stacklok is a free-to-use service that uses statistical analysis of author and repo activity, along with a package’s source of origin, to provide an assessment about its trustworthiness.
Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.
Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.
When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.
Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.
Matt Klein
Founder, Envoy proxy
“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."
Minder is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what they've built is secure.
Simplify configuration and management of security settings and policies across repos.
Manage your dependency security posture by enforcing controls and helping developers make better choices.
Continuously verify that packages are signed to ensure they're tamper-proof, using the open source project Sigstore.
Daniel Finneran
Isovalent
"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."