Python developers install packages from PyPI every day with pip. Most of the time we trust that the package we install is exactly what the maintainer intended to publish.
But questions often come up:
- Who actually published this release?
- Does the package have verifiable provenance?
- Has the repository changed since the last version?
- Are there any known vulnerabilities?
To explore these questions, I built trustcheck.
What trustcheck does
trustcheck is a CLI tool that inspects trust signals for PyPI package releases.
It helps answer questions about a package before you install it.
The tool evaluates things like:
- PyPI release metadata
- package attestations
- repository association
- provenance signals
- vulnerability information
The goal is to make it easier to understand the trust posture of a Python package release.
Installation
pip install trustcheck
Example usage
Inspect a release:
trustcheck inspect sampleproject --version 4.0.0
Verify the expected repository:
trustcheck inspect sampleproject \
--version 4.0.0 \
--expected-repo https://github.com/pypa/sampleproject
Get machine-readable output:
trustcheck inspect sampleproject --version 4.0.0 --format json
Why I built this
Tools like vulnerability scanners already exist, but there are fewer tools that help developers quickly inspect package provenance and attestation signals.
trustcheck tries to surface those signals in a simple CLI so developers can make better trust decisions when evaluating packages.
Current status
The project is currently in beta.
I'm looking for feedback from:
- Python developers
- maintainers
- security engineers
- people working with CI pipelines
Feedback that would be especially useful:
- CLI usability
- missing trust signals
- ideas for CI integration
- real-world testing
GitHub repository:
https://github.com/Halfblood-Prince/trustcheck
If you're interested in Python packaging or supply-chain security, I'd really appreciate any testing or feedback to push it from BETA to a Production Grade package.
Top comments (0)