Package trust and provenance verification for PyPI consumers.

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

halfbloodprince

These details have not been verified by PyPI

Project links

Project description

trustcheck

trustcheck is a Python package and CLI for evaluating the trust posture of PyPI releases before they are installed, promoted, or approved.

It combines PyPI metadata, vulnerability records, provenance availability, cryptographic attestation verification, Trusted Publisher identity hints, and repository matching into a single operator-friendly report.

Packages that publish no provenance are treated as needing review rather than as automatic high-risk findings, while invalid provenance, partial coverage, repository mismatches, and known vulnerabilities remain stronger negative signals.

What it checks

For a selected package version, trustcheck can:

fetch project and release metadata from PyPI
verify published provenance against artifact digests
surface Trusted Publisher repository and workflow identity hints
compare expected repository input against declared and attested signals
flag publisher drift, missing verification, and known vulnerabilities
emit concise text output or structured JSON for automation

Installation

pip install trustcheck

Requirements:

Python >=3.10
Network access to PyPI

Quick start

Inspect the latest release:

trustcheck inspect requests

Inspect a specific version:

trustcheck inspect sampleproject --version 4.0.0

Show only known vulnerabilities for a release:

trustcheck inspect sampleproject --version 4.0.0 --cve

Inspect a package and its direct dependencies:

trustcheck inspect sampleproject --version 4.0.0 --with-deps

Inspect the full transitive dependency tree:

trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps

Inspect every package listed in a requirements-style file:

trustcheck scan requirements.txt

Inspect dependencies declared in a TOML project file:

trustcheck scan pyproject.toml

Require a release to match an expected repository:

trustcheck inspect sampleproject \
  --version 4.0.0 \
  --expected-repo https://github.com/pypa/sampleproject

Emit JSON for another tool:

trustcheck inspect sampleproject --version 4.0.0 --format json

Emit combined JSON for a requirements-style or TOML file scan:

trustcheck scan requirements.txt --format json

Emit only vulnerability records as JSON:

trustcheck inspect sampleproject --version 4.0.0 --cve --format json

Fail CI when full verification is missing:

trustcheck inspect sampleproject --version 4.0.0 --strict

Use it from Python:

from trustcheck import inspect_package

report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True)
print(report.recommendation)

Documentation

Full documentation: https://halfblood-prince.github.io/trustcheck/

Getting started: Installation and Quickstart
CLI usage: CLI overview, Policies, and Config and offline mode
Integrations: JSON contract, Python API, and Compatibility
Trust model: Verification model and repository matching
Automation: CI integration
Project details: Development and release process and Changelog

License

Trustcheck Personal Use License

Project details

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

halfbloodprince

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

This version

1.8.0

Apr 16, 2026

1.7.3

Apr 16, 2026

1.7.2

Apr 16, 2026

1.7.1

Apr 16, 2026

1.7.0

Apr 16, 2026

1.6.1

Apr 15, 2026

1.5.0

Apr 15, 2026

1.4.3

Apr 13, 2026

1.4.2

Apr 12, 2026

1.4.1

Apr 12, 2026

1.4.0

Apr 12, 2026

1.3.2

Apr 12, 2026

1.3.1

Apr 9, 2026

1.3.0

Apr 9, 2026

1.2.0

Apr 7, 2026

1.1.0

Apr 4, 2026

1.0.0

Apr 3, 2026

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trustcheck-1.8.0.tar.gz (639.5 kB view details)

Uploaded Apr 16, 2026 Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

The dropdown lists show the available interpreters, ABIs, and platforms. Enable javascript to be able to filter the list of wheel files.

trustcheck-1.8.0-py3-none-any.whl (36.4 kB view details)

Uploaded Apr 16, 2026 Python 3

File details

Details for the file trustcheck-1.8.0.tar.gz.

File metadata

Download URL: trustcheck-1.8.0.tar.gz
Upload date: Apr 16, 2026
Size: 639.5 kB
Tags: Source
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for trustcheck-1.8.0.tar.gz
Algorithm	Hash digest
SHA256	`ec0a2a8eb90e2daab0deccf4200199e19c589a14bbaf6c64993238ade95e0ac4`
MD5	`f19c140bd819268cf68e49d430e4745d`
BLAKE2b-256	`75fa9f60ac0d86b33ba72036dc75c9a068e912ce9119b85473eb450ac3cd44a9`

See more details on using hashes here.

Provenance

The following attestation bundles were made for trustcheck-1.8.0.tar.gz:

Publisher: publish.yml on Halfblood-Prince/trustcheck

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: trustcheck-1.8.0.tar.gz
- Subject digest: ec0a2a8eb90e2daab0deccf4200199e19c589a14bbaf6c64993238ade95e0ac4
- Sigstore transparency entry: 1318822426
- Sigstore integration time: Apr 16, 2026
Source repository:
- Permalink: Halfblood-Prince/trustcheck@a553aae98f45bbb4ec1aa200a6781212ef3cbc66
- Branch / Tag: refs/tags/v1.8.0
- Owner: https://github.com/Halfblood-Prince
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish.yml@a553aae98f45bbb4ec1aa200a6781212ef3cbc66
- Trigger Event: push

File details

Details for the file trustcheck-1.8.0-py3-none-any.whl.

File metadata

Download URL: trustcheck-1.8.0-py3-none-any.whl
Upload date: Apr 16, 2026
Size: 36.4 kB
Tags: Python 3
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for trustcheck-1.8.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`763f49d55874e0f8231cc9ea54d528ada7e369cf138bd282f51f7be4601f2251`
MD5	`f2abbb28f9f1548299b9123a2773040c`
BLAKE2b-256	`d5914ef08f0f477f0d2c5f28996c9ae1cb61443887c325633ba20245d082a773`

See more details on using hashes here.

Provenance

The following attestation bundles were made for trustcheck-1.8.0-py3-none-any.whl:

Publisher: publish.yml on Halfblood-Prince/trustcheck

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: trustcheck-1.8.0-py3-none-any.whl
- Subject digest: 763f49d55874e0f8231cc9ea54d528ada7e369cf138bd282f51f7be4601f2251
- Sigstore transparency entry: 1318822561
- Sigstore integration time: Apr 16, 2026
Source repository:
- Permalink: Halfblood-Prince/trustcheck@a553aae98f45bbb4ec1aa200a6781212ef3cbc66
- Branch / Tag: refs/tags/v1.8.0
- Owner: https://github.com/Halfblood-Prince
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish.yml@a553aae98f45bbb4ec1aa200a6781212ef3cbc66
- Trigger Event: push

trustcheck 1.8.0

Navigation

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Project links

Meta

Classifiers

Project description

trustcheck

What it checks

Installation

Quick start

Documentation

License

Project details

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Project links

Meta

Classifiers

Release history Release notifications | RSS feed

Download files

Source Distribution

Built Distribution

File details

File metadata

File hashes

Provenance

File details

File metadata

File hashes

Provenance