Attestation envelope, builder claims, source materials, and artifact digests align.
PyPI supply-chain assurance
TrustCheck
Choose Python packages with release evidence, not advisory counts alone. TrustCheck verifies provenance, repository identity, artifact posture, vulnerability intelligence, and policy evidence before a package reaches production.
Declared, expected, and attested source repositories point to the same upstream.
PyPI and OSV vulnerability signals are normalized, aliased, and policy scored.
JSON, Markdown, SARIF, SBOM, and VEX outputs keep the decision traceable.
Why it exists
Vulnerability scanning is necessary. It is not enough.
A clean advisory result does not tell you who built the release, which source repository it came from, whether provenance covers every artifact, or whether the package matches your organization's approval policy. TrustCheck turns those missing signals into a single release decision with evidence you can keep.
Assurance surface
Everything a release gate needs in one tool.
TrustCheck is built for maintainers, security teams, and platform engineers who need a repeatable answer before dependencies are installed, promoted, or merged.
Verify how the release was built
Validate Sigstore attestations, SLSA build definitions, source materials, builders, and artifact digests.
Connect PyPI to the real upstream
Compare project metadata, Trusted Publisher hints, expected repositories, tags, commits, and attested source.
Keep vulnerability context in the decision
Normalize PyPI and OSV advisories, aliases, fixed versions, severity, suppression, and policy impact.
Inspect distributions without importing code
Review wheels and sdists for native binaries, static findings, suspicious files, and source-release mismatch.
Gate releases with explicit rules
Use strict mode, expected repositories, trusted project lists, dependency policies, and CI-friendly exits.
Export reports auditors can follow
Generate Markdown, JSON, SARIF, CycloneDX, SPDX, OpenVEX, and GitHub Actions summaries from the same run.
TrustCheck vs pip-audit
Move from vulnerability-only checks to release trust.
pip-audit is useful when the question is "does this dependency have a known vulnerability?"
TrustCheck answers the larger production question: "is this package release trustworthy enough to use?"
Known advisory status
Good for dependency vulnerability visibility, but it leaves provenance, source identity, artifact posture, and audit evidence to other processes.
Complete release approval context
Combines vulnerability signals with build provenance, repository matching, artifact inspection, policy decisions, and compliance exports.
Published benchmark
TrustCheck adds evidence without giving up speed.
The latest published benchmark uses corpus 2026.06, Python 3.14.6,
workflow-pinned pip-audit 2.10.1, and 112 comparable direct-pin package entries.
Across 105 compared packages and 263 matched advisories.
Measured for trustcheck scan --fast in the published run.
Measured against the workflow-pinned comparison command.
Adoption path
Start with one command. Grow into a policy gate.
TrustCheck fits the way Python teams already work: local CLI checks, GitHub Actions, lockfile scans, release reviews, and machine-readable evidence for security programs.
python -m pip install trustcheck
trustcheck inspect sampleproject \
--version 4.0.0 \
--expected-repo https://github.com/pypa/sampleproject \
--strict
Run it beside pip-audit
Keep your advisory scanner, then add TrustCheck for provenance, repository, artifact, and policy evidence.
Promote it into CI
Use strict gates on important packages and produce SARIF or Markdown summaries for pull requests.
Standardize release approval
Make package trust evidence repeatable across teams, repositories, and dependency update workflows.
Who benefits
A stronger default for every Python dependency decision.
Choose evidence over guesswork