Your dependencies have dependencies: new features to assess risk

danbarr

Dan Barr

Posted on November 12, 2024

Your dependencies have dependencies: new features to assess risk

Stacklok has just rolled out some major updates to Trusty, our free-to-use service that helps developers assess dependency risk in open source packages. These new features are designed to help you make informed decisions about the software dependencies you bring into your projects.

Transitive dependency analysis

The open source ecosystem is a complex web of interdependencies and relationships. When you’re picking the right packages to use in your project, assessing them for risk is a great way to make your project more secure. But the first layer of dependencies only scratches the surface. Your dependencies have dependencies, and so do those, and so on -- it's turtles dependencies all the way down. Those indirect dependencies further down the tree might bring hidden vulnerabilities or license compliance risks that aren't immediately obvious.

Trusty now ingests and analyzes transitive dependencies to help you understand the full scope of your dependency tree. For each package version, Trusty crawls the dependency tree to identify the package's direct and indirect dependencies. Along with the list of downstream packages, Trusty surfaces key risk indicators, license information, and activity scores to help you understand the full scope of potential security and health risks lurking deep within your dependency chain.

Refreshed UI and security signals

The Trusty web interface has a fresh new look, highlighting more intuitive security signals and activity scores. Our goal is to make it easier to quickly assess health and security signals and to help you make a decision based on the risk and activity signals that matter most to you.

Screenshot of the Trusty package details interface

And for those who prefer to walk on the dark side, Trusty now fully supports dark mode. 😎

Check out an overview of the new UI in the docs: https://docs.stacklok.com/trusty/how-to/package-overview/

New API version

Of course, the best way to use Trusty is to integrate it directly into your development flow. Version 2 of the Trusty API is now available with new and updated endpoints supporting the latest scoring updates and features like transitive dependencies. You can check out the new and improved API docs here: https://docs.stacklok.com/trusty/ref/api/

The quickest way to get started with automating Trusty is the integration with Minder, the open-source software supply chain automation tool that Stacklok recently donated to the OpenSSF. And check out Stacklok Cloud, our fully managed public SaaS instance of Minder that is free to use with public repositories.

Let us know what you think

At Stacklok, we’re committed to helping all developers navigate the complex world of open source dependencies and build more secure software. Check out Trusty today at https://trustypkg.dev to start understanding your software supply chain risk.

As always, we're eager to hear your feedback. Leave a comment below, and join us in the Stacklok community Discord to chat about the updates, package scoring, and software supply chain in general!

💖 💪 🙅 🚩
danbarr
Dan Barr

Posted on November 12, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related