Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

What is Trusty?

Trusty by Stacklok is a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of risk factors like author and repo activity, along with a package's source of origin, to assess its trustworthiness.

Trusty product screenshot
Video Demo

Learn more about Trusty’s key features in this demo from Stacklok Principal Engineer Evan Anderson.

Trusty Features

Activity scoring

Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to display a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

IDE support

Trusty's Visual Studio Code extension screens your dependencies as you're importing them, providing alerts about packages with low scores so that you can choose safer packages at the outset, and avoiding rework and security risks down the road.

Why use Trusty?

Real-time feedback

As you're importing an open source library into your code, the Trusty extension for Visual Studio Code will alert you if the score falls below the average activity benchmark, so you can avoid choosing a risky dependency.

Holistic dependency evaluation

The absence of CVEs doesn't mean a package is safe. Trusty goes beyond CVEs to help you evaluate whether a package is being actively maintained, where and how it was produced, and the presence of malicious activity.

Malicious activity checks

Malicious actors use techniques like "typosquatting" and "starjacking" to create confusion. Trusty checks to see whether multiple packages are pointing to the same repo or have similar names, to help you choose the right package.


Announcing Minder and Trusty: Free-to-use tools to help developers and open source communities build safer software

We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore to help developers and open source communities keep their software safe.

Continue Reading
Stacklok logo
© 2023 Stacklok