Package trust and provenance verification for PyPI consumers.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for halfbloodprince from gravatar.com halfbloodprince

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Trustcheck Personal Use License
  • Tags pypi , security , supply-chain , provenance , attestations
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

trustcheck

CI Source Build CodeQL PyPI Python 3.10 | 3.11 | 3.12 | 3.13 | 3.14 PyPI Downloads Marketplace

trustcheck is a Python package and CLI for evaluating the trust posture of PyPI releases before they are installed, promoted, or approved.

It combines PyPI metadata, vulnerability records, provenance availability, cryptographic attestation verification, Trusted Publisher identity hints, and repository matching into a single operator-friendly report.

Packages that publish no provenance are treated as needing review rather than as automatic high-risk findings, while invalid provenance, partial coverage, repository mismatches, and known vulnerabilities remain stronger negative signals.

What it checks

For a selected package version, trustcheck can:

  • fetch project and release metadata from PyPI
  • verify published provenance against artifact digests
  • surface Trusted Publisher repository and workflow identity hints
  • compare expected repository input against declared and attested signals
  • flag publisher drift, missing verification, and known vulnerabilities
  • emit concise text output or structured JSON for automation

Installation

pip install trustcheck

Requirements:

  • Python >=3.10
  • Network access to PyPI

Quick start

Inspect the latest release:

trustcheck inspect requests

Inspect a specific version:

trustcheck inspect sampleproject --version 4.0.0

Show only known vulnerabilities for a release:

trustcheck inspect sampleproject --version 4.0.0 --cve

Inspect a package and its direct dependencies:

trustcheck inspect sampleproject --version 4.0.0 --with-deps

Inspect the full transitive dependency tree:

trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps

Require a release to match an expected repository:

trustcheck inspect sampleproject \
  --version 4.0.0 \
  --expected-repo https://github.com/pypa/sampleproject

Emit JSON for another tool:

trustcheck inspect sampleproject --version 4.0.0 --format json

Emit only vulnerability records as JSON:

trustcheck inspect sampleproject --version 4.0.0 --cve --format json

Fail CI when full verification is missing:

trustcheck inspect sampleproject --version 4.0.0 --strict

Use it from Python:

from trustcheck import inspect_package

report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True)
print(report.recommendation)

Documentation

Full documentation: https://halfblood-prince.github.io/trustcheck/

License

Trustcheck Personal Use License

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for halfbloodprince from gravatar.com halfbloodprince

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Trustcheck Personal Use License
  • Tags pypi , security , supply-chain , provenance , attestations
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

1.8.0

1.7.3

1.7.2

This version

1.7.1

1.7.0

1.6.1

1.5.0

1.4.3

1.4.2

1.4.1

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trustcheck-1.7.1.tar.gz (632.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

trustcheck-1.7.1-py3-none-any.whl (33.0 kB view details)

Uploaded Python 3

File details

Details for the file trustcheck-1.7.1.tar.gz.

File metadata

  • Download URL: trustcheck-1.7.1.tar.gz
  • Upload date:
  • Size: 632.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for trustcheck-1.7.1.tar.gz
Algorithm Hash digest
SHA256 f4a625d38659ab0918e38455c938265b8298f05471bb6d4bc913e6f88343646f
MD5 1f8efdb1dbb980c3a35ccb5e6940f48f
BLAKE2b-256 c58b3e4968e0fc8b8c4603e69f938acd01c7e7b98fc20839bc9ebf825235125f

See more details on using hashes here.

Provenance

The following attestation bundles were made for trustcheck-1.7.1.tar.gz:

Publisher: publish.yml on Halfblood-Prince/trustcheck

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file trustcheck-1.7.1-py3-none-any.whl.

File metadata

  • Download URL: trustcheck-1.7.1-py3-none-any.whl
  • Upload date:
  • Size: 33.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for trustcheck-1.7.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9bf3a104928379cf97541a5720fb35c9da9343bef6872d2a83b965b4320a0f4f
MD5 32402b05f08375b8fff28676ac4aecff
BLAKE2b-256 2c56c93a6350b6a745a1e124e8083e6650066422c45f767f72ec17c0956af6ea

See more details on using hashes here.

Provenance

The following attestation bundles were made for trustcheck-1.7.1-py3-none-any.whl:

Publisher: publish.yml on Halfblood-Prince/trustcheck

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page