{"id":26138406,"url":"https://github.com/stacklok/trusty-action","last_synced_at":"2025-12-25T03:36:52.050Z","repository":{"id":230692395,"uuid":"778948356","full_name":"stacklok/trusty-action","owner":"stacklok","description":"Trusty Dependency Analysis Action","archived":false,"fork":false,"pushed_at":"2024-05-09T07:44:22.000Z","size":588,"stargazers_count":0,"open_issues_count":5,"forks_count":0,"subscribers_count":15,"default_branch":"main","last_synced_at":"2024-05-10T08:32:57.359Z","etag":null,"topics":["devsecops","security","securiy-tools","software","supply-chain"],"latest_commit_sha":null,"homepage":"https://trustypkg.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stacklok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-28T18:16:51.000Z","updated_at":"2024-05-27T23:09:35.847Z","dependencies_parsed_at":"2024-04-30T10:01:06.944Z","dependency_job_id":"e599eca7-2378-4ace-9b0e-6bc7bc7fbf89","html_url":"https://github.com/stacklok/trusty-action","commit_stats":null,"previous_names":["stacklok/trusty-action"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ftrusty-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ftrusty-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ftrusty-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ftrusty-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stacklok","download_url":"https://codeload.github.com/stacklok/trusty-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242956542,"owners_count":20212455,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","security","securiy-tools","software","supply-chain"],"created_at":"2025-03-11T01:58:04.610Z","updated_at":"2025-12-25T03:36:52.005Z","avatar_url":"https://github.com/stacklok.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"⚠️ **DEPRECATED**: This GitHub Action is no longer maintained. Use at your own risk.\n\n# Trusty Dependency Risk Action\n\n### Check the quality and safety of dependencies in pull requests\n\n[Trusty](https://trustypkg.dev/) by [Stacklok](https://stacklok.com) is a free-to-use service that helps developers assess dependency risk. Trusty uses statistical analysis of dimensions such as author and repo activity, along with a package’s source of origin, to provide an assessment about its trustworthiness.\n\nThis action integrates Trusty into your GitHub workflow,\nallowing you to automatically check the quality and safety of your dependencies\non every pull request.\n\nThe Trusty service used by this action analyzes thousands of packages a day\nacross multiple languages to provide a security and quality\nanalysis of dependencies. Dependencies are run through a series of static analysis, machine learning, and malware\ndetection checks to capture potential security risks or quality issues.\n\n\n![Main Pull Request](docs/main.png)\n\n## Overview\n\nThis action takes any added dependencies within a pull request and assesses their \nrelative risk using the [Trusty](https://trustypkg.dev/) API. If any dependencies are\nfound to be below a certain threshold (see details below), the action will fail.\n\nIf any dependencies are malicious, deprecated, or archived, the action will also fail.\n\nLanguage Support (inline with Trusty):\n\n* Python\n* JavaScript\n* Java\n* Rust\n* Go\n\n## Features\n\nCheck if dependencies are malicious, deprecated or archived\n\n![Malicious Package](docs/malicious.png)\n\nCheck if dependencies are deprecated or archived (and get alternative recommendations)\n\n![Archived Package](docs/archived.png)\n\nCheck if dependencies have a [proven source of origin provenance map](https://docs.stacklok.com/trusty/understand/provenance) (using sigstore or Git Tag / Release mapping)\n\n![Provenance Package](docs/prov.png)\n\nAssess the author and repository activity and security risks of dependencies \n\n![Activity Package](docs/activity.png)\n\n## Usage\n\nTo use this action, you can add the following to your workflow:\n\n```yaml\nname: TrustyPkg Dependency Check\n\non:\n  pull_request:\n    branches:\n      - main\n\n# Required for the action to post comments to pull requests\npermissions:\n  pull-requests: write\n\njobs:\n  trusty_pkg_check:\n    runs-on: ubuntu-latest\n    name: Check Dependencies with TrustyPkg\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v4\n\n      - name: TrustyPkg Action\n        uses: stacklok/trusty-action@v0.0.7\n        with:\n          global_threshold: 5\n          provenance_threshold: 5\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n\u003e [!NOTE]  \n\u003e You do not need to create a GITHUB_TOKEN, the action uses the default token provided by GitHub Actions at runtime.\n\n## Inputs\n\nOnly one input is available for this action:\n\n`global_threshold`: The minimum score required for a dependency to be considered\nhigh quality. Anything below this score will fail the action.\n\n\n`repo_activity_threshold`: The minimum score required for a repo to be considered\nactively maintained. Anything below this score will fail the action.\n\n`author_activity_threshold`: The minimum score required for an author to be considered\nactively maintaining their packages. Anything below this score will fail the action.\n\n`provenance_threshold`: The minimum score required for a package to have a proven source\nof origin. Anything below this score will fail the action.\n\n`typosquatting_threshold`: The minimum score required for a package to be considered\nnot typosquatting. Anything below this score will fail the action.\n\n`fail_on_malicious`: Whether to fail the action if a package is malicious. Default is `true`.\n\n`fail_on_deprecated`: Whether to fail the action if a package is deprecated. Default is `true`.\n\n`fail_on_archived`: Whether to fail the action if a package is archived. Default is `true`.\n\n## Like this action?\n\nIf you like this action, please consider starring the repository and sharing it with your friends! You can also follow us on Twitter at [@trustypkg](https://twitter.com/trustypkg) for updates and news about TrustyPkg!\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacklok%2Ftrusty-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstacklok%2Ftrusty-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacklok%2Ftrusty-action/lists"}