Stacklok logo
Home
Products
Minder Trusty
Company
About Careers Open Source Press
Resources
Blog Videos Trusty Docs Minder Docs View all resources
Contact
Login

Make safer dependency choices

Trusty is a free-to-use web app that makes it easier for developers to understand the activity level and risk profile of an open source package. Use Trusty before you import an open source library or framework to make sure you're taking a dependency on safe, actively maintained software.

Try it now
Visit Trusty on the web

What is Trusty?

Trusty by Stacklok is a free-to-use service that helps developers make safer dependency choices. Trusty uses statistical analysis of risk factors like author and repo activity, along with a package's source of origin, to assess its trustworthiness.

Sign up for the OSS Trust Graph private beta!

The OSS Trust Graph, a new capability of Trusty, is a way to model trust in open source ecosystems. It maps the connections between open source contributors and projects, and, through a “proof-of-diligence” algorithm, uses that data to build an understanding of the relative safety and sustainability of those projects. 

Blog

Announcing the Proof-of-Diligence (PoD) algorithm: A method of modeling trust and maintainability in open source ecosystems

Continue Reading

Trusty: Key capabilities

Activity scoring

Trusty provides a Trusty Score based on statistical analysis of public GitHub package data. This rating system establishes a benchmark for average levels of package activity, and is based on individual scores for repo and author activity.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to display a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Why use Trusty?

Minder integration

Integrate dependency risk checks into your development workflow. Use Minder to automatically flag PRs that contain external dependencies with low Trusty scores, indicating that they might be unsafe or unmaintained.

Holistic dependency evaluation

The absence of CVEs doesn't mean a package is safe. Trusty goes beyond CVEs to help you evaluate whether a package is being actively maintained, where and how it was produced, and the presence of malicious activity.

Malicious activity checks

Malicious actors use techniques like "typosquatting" and "starjacking" to create confusion. Trusty checks to see whether multiple packages are pointing to the same repo or have similar names, to help you choose the right package.

Trusty product screenshot
Video Demo

Learn more about Trusty’s key features in this demo from Stacklok Principal Engineer Evan Anderson.

Next Steps

Getting Started with Trusty

Try out Trusty now in your web browser, or learn more about how it works in our product documentation.

Try it now View product docs
Stacklok logo
© 2024 Stacklok
Privacy Policy Terms of Service
Main Menu
Home About Careers Contact
Products
Trusty Minder
Resources
All Resources Blog Videos Trusty Docs Minder Docs
Contact Us
hello@stacklok.com