tayyabt

tayyabt / trustlock

Public

A Git-native dependency admission controller. Evaluates trust signals on every dependency change and blocks commits or builds when packages fail your team's policy. Pre-commit hook + CI gate with built-in approval workflow.

admission-controller ci-cd cli dependency-management devtools
18
0
100% credibility
Found Apr 15, 2026 at 16 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
JavaScript
AI Summary

trustlock evaluates trust signals like package age, provenance attestations, version pinning, install scripts, and sources on dependency changes in supported lockfiles, running as a Git pre-commit hook in advisory mode and a CI check in enforce mode.

How It Works

1
🕵️ Discover trustlock

You hear about trustlock, a friendly guard that checks new ingredients in your project to spot potential risks before they sneak in.

2
📦 Add to your project

You easily bring trustlock into your project so it can watch over your dependencies.

3
🔒 Capture safe starting point

Trustlock scans your current setup and saves a trusted snapshot of all your ingredients as a safety baseline.

4
⚙️ Link to your workflow

You set it up to automatically check changes right before you commit your work.

5
Update ingredients
All clear

Everything passes smoothly, and your baseline updates automatically.

⚠️
Flag raised

Trustlock spots something new or risky and asks for your review.

6
👍 Review and approve

For flagged items, you add a temporary okay with a reason, keeping an audit trail.

🎉 Project protected

Your commits go through safely, with only trusted ingredients, and your safety baseline stays up to date.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 16 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is trustlock?

Trustlock is a JavaScript dependency admission controller that evaluates trust signals—cooldown periods, SLSA provenance, pinning, install scripts, sources, new dependencies, transitive changes, and publisher shifts—on every lockfile change. Installed as a Git pre-commit hook for advisory warnings or a CI gate to block failing builds, it supports npm, pnpm, yarn, and Python lockfiles with policy inheritance for teams. Developers get immediate feedback on risky dependency updates, preventing supply chain attacks before they hit main.

Why is it gaining traction?

Unlike vulnerability scanners that react post-admission, trustlock acts as a proactive gate with built-in approval workflows for overrides, complete audit commands for posture checks, and SARIF/JSON outputs for CI tools. Its zero-runtime-deps design and monorepo-friendly cross-audits stand out, letting teams enforce trustlock security policies without heavy setup. The Git-native flow hooks users instantly—no more silent npm installs of fresh packages.

Who should use this?

Supply chain security leads in Node.js or Python teams enforcing strict policies on monorepos. Open-source maintainers blocking unproven deps, or DevOps engineers gating CI builds against transitive surprises. Ideal for orgs with shared trustlock solutions needing admission controls on commits and builds.

Verdict

Worth trying for teams prioritizing dependency trustlock sentinel checks—solid docs and CLI make onboarding fast despite 16 stars and 1.0% credibility score. Still early; pair with CVE tools until maturity grows.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.