Halfblood-Prince / trustcheck

Public

Verify PyPI package attestations and improve Python supply-chain security

attestations package package-security pypi python

100% credibility

Found Apr 12, 2026 at 18 stars -- GitGems finds repos before they trend. Get early access to the next one.

AI Analysis

Python

AI Summary

trustcheck is a tool that inspects Python packages from the main software library to report on their safety, origins, known issues, and trust signals before you add them to your projects.

How It Works

🕵️ Wonder if a package is safe

You find a helpful tool online and want to check if a new software add-on for your projects is trustworthy before adding it.

📥 Get the safety checker

You easily add the free safety checker to your computer setup in moments.

🔍 Check any package

You simply tell it the name of the package, and it quickly scans for dangers, origins, and proofs of goodness.

📊 See the easy report

A clear summary appears showing if everything checks out, with tips on any worries.

✅ Make smart choice

You feel confident to add the package or pick another safer one.

😊 Projects stay secure

Your work is protected from bad software, and you build with peace of mind.

Sign up to see the full architecture

4 more

Star Growth

See how this repo grew from 18 to 18 stars Sign Up Free

Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose

AI-Generated Review

What is trustcheck?

trustcheck is a Python CLI and library that scans PyPI packages for supply-chain risks before installation. Run `trustcheck inspect requests` to fetch metadata, check provenance attestations, verify publisher identities against GitHub repos, flag vulnerabilities, and generate a trust report with tiers like "verified" or "high-risk." It solves the blind install problem by combining pypi verify details, provenance checks, and repository matching into one operator-friendly output, including JSON for automation.

Why is it gaining traction?

Unlike basic metadata scrapers, trustcheck verifies cryptographic attestations against artifact digests, detects publisher drift across releases, and enforces strict policies via `--strict` or custom JSON configs—failing CI on unverified provenance. Developers hook it for pypi verify email hints, github verify commits alignment, or expected-repo matching, with offline caching and stable JSON schemas making it CI-ready without flakiness. The concise reports and exit codes turn vague security signals into actionable gates.

Who should use this?

Security engineers hardening dependency pipelines, DevOps teams approving packages in airgapped CI, or release managers verifying github education packs and copilot licenses match PyPI publishes. Ideal for orgs mandating provenance before `pip install`, especially with `--expected-repo` for trusted GitHub sources.

Verdict

Grab it for beta-stage supply-chain hygiene—solid docs, 90%+ test coverage, and PyPI Trusted Publishing itself build trust despite 18 stars and 1.0% credibility score. Maturity lags adoption, so pair with manual review until stars climb.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.

Stars

Forks

Followers

Base stars: 18 stars

Bonus: AI verified quality (100%)

Account age: 914 days

Repo age: 8 days

License: NOASSERTION

Updated: Apr 12, 2026