Choose safer open source dependencies, right in your IDE
What is Trusty
Trusty (by Stacklok) is a free-to-use service that helps developers choose safer open source dependencies. Trusty provides a rating system that is based on statistical analysis of risk factors like author and repo activity and signs of malicious activity, including typosquatting and “starjacking” (which is when a malicious actor copies metadata, including GitHub stars, from a reputable package).
What can you do with Trusty?
When you import an open source library in your IDE that has a low Trusty Score, Trusty will show you an alert in VS Code, letting you know that the package might not be safe to use. The alert will include a link to the full listing on trustypkg.dev, so that you can get more information about the package and decide whether to use it.
We make sure that our data and scores are reliable and accurate by pulling in provenance information from Sigstore (when available), to verify that a package is where it says it’s from.
Trusty Features
Real-time flagging: Trusty can show you an alert as you’re importing an open source library, to help you gauge whether you want to use it. Our goal is to help you save time by not importing packages that are likely to lead to rework and security issues later.
Open source package scoring: Trusty’s rating system is derived from statistical analysis of public GitHub package data. This ranking system establishes a benchmark for average levels of package activity.
Package alternatives: Trusty also uses generative AI to provide a list of related packages and their scores, to help developers find a better option if needed.
Additional information available in Trusty’s web UI includes:
Malicious activity warnings: Trusty looks for and flags signs of malicious behavior, like “typosquatting” (spelling the name of a popular package slightly wrong) and “masquerading” or “starjacking”. When we detect the possibility of malicious activity, we will lower the package’s overall Trusty Score.
Validation of package provenance: Trusty displays Sigstore provenance information for npm packages, when the author has signed their artifacts. This helps you ensure that the data you’re seeing for a package is verified and traced back to the correct source of origin.
Additional package metadata: Each package listing includes metadata to help you evaluate packages in more detail, like author bio links, wiki links, and GitHub stars.
What languages and package managers does Trusty support?
Trusty is available for the following types of packages today: