Halfblood-Prince/trustcheck

# trustcheck [](https://github.com/Halfblood-Prince/trustcheck/actions/workflows/ci.yml) [](https://github.com/Halfblood-Prince/trustcheck/actions/workflows/source-build.yml) [](https://github.com/Halfblood-Prince/trustcheck/actions/workflows/codeql.yml) [](https://pypi.org/project/trustcheck/) [](https://github.com/Halfblood-Prince/trustcheck/actions/workflows/ci.yml) [](https://pepy.tech/projects/trustcheck) [](https://github.com/marketplace/actions/trustcheck-python-package-scanner) `trustcheck` is a Python package and CLI for evaluating the trust posture of PyPI releases before they are installed, promoted, or approved. It combines PyPI metadata, vulnerability records, provenance availability, cryptographic attestation verification, Trusted Publisher identity hints, and repository matching into a single operator-friendly report. ## 它检查的内容 For a selected package version, `trustcheck` can: - fetch project and release metadata from PyPI - verify published provenance against artifact digests - surface Trusted Publisher repository and workflow identity hints - compare expected repository input against declared and attested signals - flag publisher drift, missing verification, and known vulnerabilities - emit concise text output or structured JSON for automation ## 安装 ``` pip install trustcheck ``` Requirements: - Python `>=3.10` - Network access to PyPI ## 快速开始 Inspect the latest release: ``` trustcheck inspect requests ``` Inspect a specific version: ``` trustcheck inspect sampleproject --version 4.0.0 ``` Require a release to match an expected repository: ``` trustcheck inspect sampleproject \ --version 4.0.0 \ --expected-repo https://github.com/pypa/sampleproject ``` Emit JSON for another tool: ``` trustcheck inspect sampleproject --version 4.0.0 --format json ``` Fail CI when full verification is missing: ``` trustcheck inspect sampleproject --version 4.0.0 --strict ``` Use it from Python: ``` from trustcheck import inspect_package report = inspect_package("sampleproject", version="4.0.0") print(report.recommendation) ``` ## 文档 Full documentation: https://halfblood-prince.github.io/trustcheck/ - Getting started: [Installation](https://halfblood-prince.github.io/trustcheck/getting-started/installation/) and [Quickstart](https://halfblood-prince.github.io/trustcheck/getting-started/quickstart/) - CLI usage: [CLI overview](https://halfblood-prince.github.io/trustcheck/cli/), [Policies](https://halfblood-prince.github.io/trustcheck/cli/policies/), and [Config and offline mode](https://halfblood-prince.github.io/trustcheck/cli/configuration/) - Integrations: [JSON contract](https://halfblood-prince.github.io/trustcheck/reference/json-contract/), [Python API](https://halfblood-prince.github.io/trustcheck/reference/python-api/), and [Compatibility](https://halfblood-prince.github.io/trustcheck/reference/compatibility/) - Trust model: [Verification model and repository matching](https://halfblood-prince.github.io/trustcheck/reference/trust-model/) - Automation: [CI integration](https://halfblood-prince.github.io/trustcheck/guides/ci-integration/) - Project details: [Development and release process](https://halfblood-prince.github.io/trustcheck/guides/development/) and [Changelog](https://halfblood-prince.github.io/trustcheck/changelog/) ## 许可 [Trustcheck Personal Use License](LICENSE)

标签：CI/CD安全, cryptographic attestation, Llama, provenance验证, PyPI, Python供应链安全, Supply Chain Attack, 代码签名, 信任评估, 包管理, 包验证, 可信发布者, 威胁情报, 安全合规, 安全扫描, 完整性校验, 开发者工具, 数字证书, 时序注入, 结构化查询, 网络代理, 自动化安全, 软件供应链安全, 软件供应链攻击, 远程方法调用, 逆向工具