Stacklok Insight is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
We’re excited to announce support for Go packages in Trusty! Go developers can now use Trusty to vet the safety and trustworthiness of their dependencies. With Go, Trusty now supports five major package ecosystems, along with Java, JavaScript, Rust, and Python.
Go is the language of choice for modern microservices and many cloud native ecosystem projects. It’s flexible, easy to use, and has built-in productivity features for developers like a rich standard library, and built-in testing support.
The Go community has also been thoughtful about package security. For example, Go packages are imported via their source URL. This means there’s a verifiable link from the package to its source code, so that you can inspect the code and verify that the software is what it says it is, and does what it says it will do. (For more on why software provenance matters, read CTO Luke Hinds’ blog post here.)
When it comes to determining whether an open source package is safe to use, there are other factors beyond provenance to consider. One key factor is whether the package is being actively maintained, and if it has a strong community behind it. It’s a best practice to verify that an open source package doesn’t have any known CVEs when you import it. But you also want to make sure that the package’s maintainers are likely to be around in the future to patch CVEs when they inevitably occur.
In Trusty, we’ve indexed popular Go packages and scored them on safety factors including repo and author activity, using statistical analysis of public GitHub data like stars, forks, watchers, open issues, and the number of followers of the repo’s contributors. A package’s Trusty Score can give you a quick signal as to whether you’re taking a dependency on active and non-malicious software.
Here are the factors that contribute to a Go project’s overall Trusty Score:
Repo Activity Score: A relative ranking of the level of activity within the package’s primary repository, based on statistical analysis.
Author Activity Score: A relative aggregate rank of the top contributors to the repository, based on statistical analysis.
Typosquatting: Indicates whether a package is likely to be a “typosquat,” the practice of malicious actors who give their packages a slightly similar name to a reputable package, with the intention of tricking developers into installing a malicious package.
Proof of Origin (Provenance): Indicates the strength of the link between a published package and its source repository.
For Go packages, this score is always a 10, since the packages are imported via their source URL.
Let’s take a closer look at some popular Go open source packages (from the great list at @avelino/awesome-go) and how they’ve been scored.
BigCache (an efficient cache for gigabytes of data): Trusty Score of 7.2
BigCache has 63 contributors and 7,000 stars, so it has high scores for repo and author activity.
Bleve (modern text indexing library): Trusty Score of 7.4
With 246 open issues, 85 contributors, and nearly 10,000 GitHub stars, Bleve also ranks highly for repo and author activity.
Prometheus (monitoring system and time series database): Trusty Score of 8.7
Prometheus is a really popular and widely used CNCF project, so it’s not surprising that it has a high Trusty Score. Prometheus has over 50k GitHub stars and many open issues and contributors, so its repo score is especially high. Its author activity score is slightly lower, which could indicate that some contributors to the project are not as active on GitHub and may not contribute frequently.
Now, let’s take a look at a package with a low Trusty Score. Groundup is an open source dashboard that generates code for apps written in Go. It has a Trusty Score of just 1.9:
When we take a closer look at the score details here, we can see that Groundup has low repo and author activity scores. That’s because there are 0 open issues, 12 followers, and only 2 contributors to this project—one of whom hasn’t had any activity on GitHub in the past year. These are helpful signals for a developer who may be considering taking a critical dependency on this project.
I’m a Go developer. How can Trusty help me?
Like many developers, you’re probably using Google or Go’s package manager to find a package. You’ll get a lot of good information that way, but you won’t necessarily be able to tell whether the package is being well maintained and has a strong community behind it. You can use Trusty’s web app to vet an open source Go package before you use it, and get a better signal as to whether it’s “safe” to use from a security and activity perspective.
I’m a maintainer of an open source Go project. What can I do to improve my project’s Trusty Score?
Great question! As you can see from above, Trusty scores are highest for Go projects with strong communities and active, connected contributors, so if you’re actively maintaining and improving your project, your Trusty Score should naturally be high. But if you’re looking for specific ways to improve your score, here are a few tips that can help:
Keep growing and contributing to your project! Trusty looks at the number of open issues, the number of repositories in your project, watchers, and star count, among other activity factors. Regular releases, updates, and additions to your project shows users that your project is active and also factors into your repo and author scores.
Contribute to other projects on GitHub. Trusty’s scoring favors authors who also contribute to other projects on GitHub, with the idea that, if a person is contributing frequently across GitHub, they’re more likely to keep their project maintained.
Continue to grow your community. A project with a healthy number of contributors who are actively submitting issues and PRs—as well as users watching and following the repo—is likely to have a high Trusty Score. Using free, community-oriented tools like Discord and Mastodon; speaking at open source conferences; and posting about your project on sites like Dev.to and Reddit are all good ways to help promote and grow your project.
You can also give us feedback on your project’s score—join our Discord channel to chat with our product team.
See our documentation here for a full breakdown of how Trusty scores are calculated.
Hmm, I can’t find the Go package that I’m looking for in Trusty.
To start, we’ve indexed the top 1,000 most popular Go packages (based on packages that have the highest number of GitHub stars, and that have go.mod files). Trusty can index new packages on demand, though, so when you search for a package that we haven’t yet indexed, you’ll see an option to access it using a link. When you click on that link, Trusty will create a page for that package and start pulling in the data.
We’re continuously adding new capabilities and scoring dimensions in Trusty to make this service more useful for you. A few features that are next on our roadmap include:
Sigstore provenance for Python and Rust packages
Inclusion of vulnerability data (from osv.dev) and license information
Showing a package’s dependencies, and what other packages depend on it
Check out our full roadmap for Trusty here. Let us know what features you’d like to see next—join our Discord channel to share your feedback!
Visit trustypkg.dev to look up dependencies for your next Go project!