Make safer dependency choices

Trusty is a free-to-use web app that makes it easier for developers to understand the activity level and risk profile of an open source package. Use Trusty before you import an open source library or framework to make sure you're taking a dependency on safe, actively maintained software.

What is Trusty?

Trusty by Stacklok is a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of risk factors like author and repo activity, along with a package's source of origin, to assess its trustworthiness.

Sign up for the OSS Trust Graph private beta!

The OSS Trust Graph, a new capability of Trusty, is a way to model trust in open source ecosystems. It maps the connections between open source contributors and projects, and, through a “proof-of-diligence” algorithm, uses that data to build an understanding of the relative safety and sustainability of those projects. 

Trusty: Key capabilities

Activity scoring

Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to display a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Why use Trusty?

Minder integration

Integrate dependency risk checks into your development workflow. Use Minder to automatically flag PRs that contain external dependencies with low Trusty scores, indicating that they might be unsafe or unmaintained.

Holistic dependency evaluation

The absence of CVEs doesn't mean a package is safe. Trusty goes beyond CVEs to help you evaluate whether a package is being actively maintained, where and how it was produced, and the presence of malicious activity.

Malicious activity checks

Malicious actors use techniques like "typosquatting" and "starjacking" to create confusion. Trusty checks to see whether multiple packages are pointing to the same repo or have similar names, to help you choose the right package.

Trusty product screenshot
Video Demo

Learn more about Trusty’s key features in this demo from Stacklok Principal Engineer Evan Anderson.

Stacklok logo
© 2024 Stacklok