PyPI supply-chain assurance

TrustCheck

Choose Python packages with release evidence, not advisory counts alone. TrustCheck verifies provenance, repository identity, artifact posture, vulnerability intelligence, and policy evidence before a package reaches production.

Sigstore provenance Trusted Publisher context OSV and PyPI advisories SARIF, SBOM, VEX
trustcheck inspect sampleproject --version 4.0.0 --strict Policy outcome: approved for promotion
01 Verified provenance

Attestation envelope, builder claims, source materials, and artifact digests align.

02 Repository match

Declared, expected, and attested source repositories point to the same upstream.

03 Advisory clean

PyPI and OSV vulnerability signals are normalized, aliased, and policy scored.

04 Audit package

JSON, Markdown, SARIF, SBOM, and VEX outputs keep the decision traceable.

Why it exists

Vulnerability scanning is necessary. It is not enough.

A clean advisory result does not tell you who built the release, which source repository it came from, whether provenance covers every artifact, or whether the package matches your organization's approval policy. TrustCheck turns those missing signals into a single release decision with evidence you can keep.

Package input Metadata Provenance Repository Artifacts Advisories Trust decision

Assurance surface

Everything a release gate needs in one tool.

TrustCheck is built for maintainers, security teams, and platform engineers who need a repeatable answer before dependencies are installed, promoted, or merged.

Provenance

Verify how the release was built

Validate Sigstore attestations, SLSA build definitions, source materials, builders, and artifact digests.

Identity

Connect PyPI to the real upstream

Compare project metadata, Trusted Publisher hints, expected repositories, tags, commits, and attested source.

Advisories

Keep vulnerability context in the decision

Normalize PyPI and OSV advisories, aliases, fixed versions, severity, suppression, and policy impact.

Artifacts

Inspect distributions without importing code

Review wheels and sdists for native binaries, static findings, suspicious files, and source-release mismatch.

Policy

Gate releases with explicit rules

Use strict mode, expected repositories, trusted project lists, dependency policies, and CI-friendly exits.

Evidence

Export reports auditors can follow

Generate Markdown, JSON, SARIF, CycloneDX, SPDX, OpenVEX, and GitHub Actions summaries from the same run.

TrustCheck vs pip-audit

Move from vulnerability-only checks to release trust.

pip-audit is useful when the question is "does this dependency have a known vulnerability?" TrustCheck answers the larger production question: "is this package release trustworthy enough to use?"

pip-audit-only gate

Known advisory status

Good for dependency vulnerability visibility, but it leaves provenance, source identity, artifact posture, and audit evidence to other processes.

TrustCheck gate

Complete release approval context

Combines vulnerability signals with build provenance, repository matching, artifact inspection, policy decisions, and compliance exports.

Capability TrustCheck pip-audit Typical vulnerability scanner
Known vulnerability lookup Yes, with PyPI and OSV context Yes Usually
Alias-aware advisory agreement Yes, across CVE, GHSA, PYSEC, and provider IDs Yes for reported advisories Varies
PyPI provenance verification Built in No No
Trusted Publisher and signer context Built in No Rare
Expected repository enforcement Built in with policy support No Limited
Source, tag, commit, and artifact consistency Built in No Rare
Wheel and sdist inspection without importing code Built in No Limited
Requirements, lockfile, environment, and dependency scanning Broad Python workflow coverage Strong dependency audit coverage Varies by ecosystem
CI policy outcomes Pass, warn, or block from a trust policy Advisory-focused exit behavior Usually severity-based
Audit and compliance outputs SARIF, SBOM, VEX, Markdown, and JSON Vulnerability report formats Varies
Remediation workflow Risk-aware fix planning and safe automation paths Advisory fixes Varies
Best default role Release approval and supply-chain assurance Dedicated vulnerability audit Advisory visibility

Published benchmark

TrustCheck adds evidence without giving up speed.

The latest published benchmark uses corpus 2026.06, Python 3.14.6, workflow-pinned pip-audit 2.10.1, and 112 comparable direct-pin package entries.

Alias-aware agreement 1.0

Across 105 compared packages and 263 matched advisories.

TrustCheck warm p50 14.20 s

Measured for trustcheck scan --fast in the published run.

pip-audit warm p50 38.51 s

Measured against the workflow-pinned comparison command.

trustcheck scan --fast

Cold p50 16.00 s - Warm p50 14.20 s - Warm p95 14.44 s - 78.0 MiB RSS

pip-audit

Cold p50 36.69 s - Warm p50 38.51 s - Warm p95 39.82 s - 75.6 MiB RSS

Read benchmark methodology

Adoption path

Start with one command. Grow into a policy gate.

TrustCheck fits the way Python teams already work: local CLI checks, GitHub Actions, lockfile scans, release reviews, and machine-readable evidence for security programs.

python -m pip install trustcheck

trustcheck inspect sampleproject \
  --version 4.0.0 \
  --expected-repo https://github.com/pypa/sampleproject \
  --strict
1

Run it beside pip-audit

Keep your advisory scanner, then add TrustCheck for provenance, repository, artifact, and policy evidence.

2

Promote it into CI

Use strict gates on important packages and produce SARIF or Markdown summaries for pull requests.

3

Standardize release approval

Make package trust evidence repeatable across teams, repositories, and dependency update workflows.

Who benefits

A stronger default for every Python dependency decision.

Choose evidence over guesswork

Make TrustCheck the trust layer in front of every PyPI install.

Open quickstart