Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Malicious attacks are becoming more sophisticated, and AI is making it easier and faster for attackers to execute them. We need new ways to detect and prevent supply chain attacks. Stacklok is developing new tools and approaches, in alignment with open source communities.
Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers.
No more manual configuration and spreadsheets. Use Minder Cloud to apply and consistently enforce the same set of policies across a group of project repos.
Minder flags dependencies in pull requests that have known CVEs or high supply chain risk, and provides a list of safer alternatives to help developers find a different package to use.
Implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (Minder can even do this automatically for you!).
Daniel Finneran
Isovalent
"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."
Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.
Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.
When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.
Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.
Matt Klein
Founder, Envoy proxy
“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."
A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.