Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.
Trusty by Stacklok is a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of risk factors like author and repo activity, along with a package's source of origin, to assess its trustworthiness.
Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.
When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.
Trusty uses generative AI to display a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.
Trusty's Visual Studio Code extension screens your dependencies as you're importing them, providing alerts about packages with low scores so that you can choose safer packages at the outset, and avoiding rework and security risks down the road.
As you're importing an open source library into your code, the Trusty extension for Visual Studio Code will alert you if the score falls below the average activity benchmark, so you can avoid choosing a risky dependency.
The absence of CVEs doesn't mean a package is safe. Trusty goes beyond CVEs to help you evaluate whether a package is being actively maintained, where and how it was produced, and the presence of malicious activity.
Malicious actors use techniques like "typosquatting" and "starjacking" to create confusion. Trusty checks to see whether multiple packages are pointing to the same repo or have similar names, to help you choose the right package.
We're excited to announce the launch of Minder and Trusty, two free-to-use tools that build on the power of the open source project Sigstore to help developers and open source communities keep their software safe.
Continue Reading