Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Trusty is a free-to-use web app that makes it easier for developers to understand the activity level and risk profile of an open source package. Use Trusty before you import an open source library or framework to make sure you're taking a dependency on safe, actively maintained software.
Trusty by Stacklok is a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of risk factors like author and repo activity, along with a package's source of origin, to assess its trustworthiness.
Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.
When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.
Trusty uses generative AI to display a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.
Integrate dependency risk checks into your development workflow. Use Minder to automatically flag PRs that contain external dependencies with low Trusty scores, indicating that they might be unsafe or unmaintained.
The absence of CVEs doesn't mean a package is safe. Trusty goes beyond CVEs to help you evaluate whether a package is being actively maintained, where and how it was produced, and the presence of malicious activity.
Malicious actors use techniques like "typosquatting" and "starjacking" to create confusion. Trusty checks to see whether multiple packages are pointing to the same repo or have similar names, to help you choose the right package.