Get a security and quality analysis of your dependencies with TrustyPkg!

• Check if the dependencies are malicious, deprecated or archived
• Assess the quality and security of your dependencies using TrustyPkg activity hueristics
• See if it contains a source of origin to a legitimate code repository using sigstore and Trusty's historical provenance algorithm
• Understand if the package is a possible typo squatting attack
• Get a list of recommended alternatives to the dependency

This action takes any added dependencies within a pull request and assesses their quality using the Trusty API. If any dependencies are found to be below a certain threshold (See details below), the action will fail.

If any dependencies are malicious, deprecated, or archived, the action will also fail.

Full Language Support (inline with Trusty):

• Python
• JavaScript
• Java
• Rust
• Go

To use this action, you can add the following to your workflow:

name: TrustyPkg Dependency Check

on:
  pull_request:
    branches:
      - main

jobs:
  trusty_pkg_check:
    runs-on: ubuntu-latest
    name: Check Dependencies with TrustyPkg
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: TrustyPkg Action
        uses: stacklok/[email protected]
        with:
          global_threshold: 5
          provenance_threshold: 5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Only one input is available for this action:

score_threshold: The minimum score required for a dependency to be considered high quality. Anything below this score will fail the action.