### Build and Test Snap Locally Source: https://github.com/halfblood-prince/trustcheck/blob/main/snap/README.md Commands to install snapcraft, build the snap, lint it, install it locally, and verify the installation. ```bash sudo snap install snapcraft --classic snapcraft snapcraft lint ./trustcheck_*.snap sudo snap install --dangerous ./trustcheck_*.snap snap run trustcheck --version export PATH="/snap/bin:$PATH" trustcheck --version ``` -------------------------------- ### Install Trustcheck via Snap Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/installation.md Installation command for Snap users and initial version verification. ```bash sudo snap install trustcheck trustcheck --version ``` -------------------------------- ### Install Trustcheck via PyPI Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/installation.md Standard installation command for the package using pip. ```bash pip install trustcheck ``` -------------------------------- ### Scan and Install Dependencies Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/index.md Scan files for vulnerabilities or perform secure installations. ```bash trustcheck scan -f requirements.txt ``` ```bash trustcheck install -r requirements.txt --policy strict trustcheck install requests==2.32.5 --require-provenance ``` ```bash trustcheck scan -f pyproject.toml ``` -------------------------------- ### Install Trustcheck with Keyring Support Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Optional installation for users requiring private-index credentials stored in an in-process keyring. ```bash pip install "trustcheck[keyring]" ``` -------------------------------- ### Verify and install dependencies Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Installs dependencies with security policies, lock files, or provenance requirements. ```bash trustcheck install -r requirements.txt --policy strict trustcheck install -r requirements.txt --lock trustcheck.lock trustcheck install requests==2.32.5 --require-provenance ``` -------------------------------- ### Install and inspect a project with TrustCheck Source: https://github.com/halfblood-prince/trustcheck/blob/main/web/index.html Install the package via pip and run a strict inspection on a project with repository verification. ```bash python -m pip install trustcheck trustcheck inspect sampleproject \ --version 4.0.0 \ --expected-repo https://github.com/pypa/sampleproject \ --strict ``` -------------------------------- ### Configure Snap PATH and Verify Installation Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Commands to update the shell PATH for Snap and verify the installation version. ```bash export PATH="/snap/bin:$PATH" trustcheck --version ``` -------------------------------- ### Check version Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Displays the installed package and report schema versions. ```bash trustcheck --version ``` -------------------------------- ### Troubleshoot Snap Path Issues Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/installation.md Commands to verify the installation if the trustcheck command is not found in the system PATH. ```bash snap run trustcheck --version snap run trustcheck inspect requests ``` ```bash export PATH="/snap/bin:$PATH" trustcheck --version ``` ```bash snap info trustcheck snap connections trustcheck ``` -------------------------------- ### Scan an installed environment Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Scans the packages installed in a specific environment path. ```bash trustcheck environment --path .venv/lib/python3.12/site-packages ``` -------------------------------- ### Run full analysis Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Execute a comprehensive analysis on a target-compatible install artifact using multiple workers. ```bash trustcheck scan sampleproject --version 4.0.0 --full --workers 8 ``` -------------------------------- ### Discover installed distributions Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Use this to identify installed packages in the current environment or specific site-packages directories. ```python from trustcheck import discover_installed_distributions active = discover_installed_distributions() other = discover_installed_distributions( [".venv/lib/python3.12/site-packages"] ) ``` -------------------------------- ### discover_installed_distributions(paths=None) Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Discovers installed Python distributions using importlib.metadata and PEP 610 direct_url.json files. ```APIDOC ### Function: discover_installed_distributions #### Description Discovers installed distributions in the environment. Optionally accepts a list of paths to search. #### Parameters - **paths** (list of str) - Optional - A list of file system paths to search for distributions. ``` -------------------------------- ### Enable a signed plugin Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Explicitly enable an installed and signed plugin for the scan process. ```bash trustcheck scan -f requirements.txt --plugin policy:company-policy ``` -------------------------------- ### Verify CLI Availability Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/installation.md Commands to check if the CLI is installed and to display version information. ```bash trustcheck --help ``` ```bash trustcheck --version ``` -------------------------------- ### Refresh Snap Installation Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/installation.md Command to update the Snap package and verify functionality after permission errors. ```bash sudo snap refresh trustcheck trustcheck inspect sampleproject --version 4.0.0 ``` -------------------------------- ### Run Atheris Fuzzing Target Source: https://github.com/halfblood-prince/trustcheck/blob/main/fuzz/README.md Install dependencies and execute a fuzzing target with specified run parameters. ```bash python -m pip install . atheris==3.0.0 python fuzz/fuzz_artifacts.py -runs=10000 -max_len=65536 -timeout=10 ``` -------------------------------- ### Audit an installed environment Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Audit the current environment or a specific site-packages directory. ```bash trustcheck environment ``` ```bash trustcheck environment --path .venv/lib/python3.12/site-packages ``` -------------------------------- ### Select Target Platform for Snapcraft Build Source: https://github.com/halfblood-prince/trustcheck/blob/main/snap/README.md Explicitly select a target platform when building a snap with snapcraft. ```bash snapcraft --platform=arm64 ``` -------------------------------- ### Scan and plan dependency upgrades Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Plan a secure upgrade set based on requirements.txt constraints and output remediation details. ```bash trustcheck scan -f requirements.txt \ --with-osv \ --plan-fixes \ --remediation-output reports/trustcheck-remediation.json ``` -------------------------------- ### Register plugin entry point Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/performance-extensibility.md Define the entry point for a custom policy rule in the project configuration. ```toml [project.entry-points."trustcheck.policy_rules"] company-policy = "company_trustcheck:CompanyPolicy" ``` -------------------------------- ### Execute scan with plugins Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/performance-extensibility.md Enable specific plugins and provide a configuration file to extend scan capabilities. ```bash trustcheck scan -f requirements.txt \ --plugin advisory:company-osv \ --plugin policy:company-policy \ --plugin-config trustcheck-plugins.json ``` -------------------------------- ### PipResolver Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Resolves dependencies for a requirements file without installing them, supporting various sandbox modes. ```APIDOC ## PipResolver(sandbox_mode='auto').resolve_requirements_file(requirements_file, constraints=None, target=None) ### Description Obtains the exact package set selected by pip. The resolver supports multiple sandbox modes for secure execution. ### Parameters - **sandbox_mode** (str) - Optional - 'off', 'warn', 'auto', 'container', 'bubblewrap', or 'strict'. Default is 'auto'. - **requirements_file** (str) - Required - Path to the requirements file. - **constraints** (list) - Optional - List of constraint files. - **target** (TargetEnvironment) - Optional - The target environment configuration (python_version, platforms, implementation, abis). ``` -------------------------------- ### Initialize Vulnerability Intelligence Client Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Configures the intelligence client with multiple OSV providers, KEV, and EPSS clients to inspect package vulnerabilities. ```python from trustcheck import ( CisaKevClient, EpssClient, OsvClient, OsvProvider, VulnerabilityIntelligenceClient, inspect_package, ) intelligence = VulnerabilityIntelligenceClient( providers=( OsvProvider("OSV", OsvClient()), OsvProvider( "Private OSV", OsvClient(base_url="https://advisories.example.com"), ), ), kev_client=CisaKevClient(), epss_client=EpssClient(), ) report = inspect_package( "jinja2", version="2.10.0", vulnerability_client=intelligence, ) ``` -------------------------------- ### Execute Trustcheck Agent Adapter Source: https://github.com/halfblood-prince/trustcheck/blob/main/plugins/trustcheck-gate/skills/trustcheck-gate/references/operation-schema.md Run the adapter script using a JSON request file as input. ```bash python plugins/trustcheck-gate/skills/trustcheck-gate/scripts/trustcheck_agent_adapter.py request.json --pretty ``` -------------------------------- ### Verify dependency manifest Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/guides/ci-integration.md Run the TrustCheck CLI after setting up Python to verify dependencies against an existing manifest file. ```yaml steps: - uses: actions/checkout@v7 - uses: actions/setup-python@v6 with: python-version: "3.12" - run: python -m pip install trustcheck - run: | trustcheck manifest verify \ -f requirements.lock \ --manifest trustcheck.manifest.json ``` -------------------------------- ### Manage Trust Manifests Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Commands to initialize, verify, and update dependency trust manifests. ```bash trustcheck manifest init -f requirements.lock --output trustcheck.manifest.json trustcheck manifest verify -f requirements.lock --manifest trustcheck.manifest.json trustcheck manifest update -f requirements.lock --manifest trustcheck.manifest.json ``` -------------------------------- ### Configure resolution environment Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Specify resolution constraints or enable sandboxing for dependency analysis. ```bash trustcheck scan -f requirements.txt \ --constraint constraints.txt \ --python-version 3.12 \ --platform manylinux_2_28_x86_64 \ --implementation cp \ --abi cp312 ``` ```bash trustcheck scan -f requirements.txt --sandbox auto ``` -------------------------------- ### Resolving dependencies with PipResolver Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Obtains the exact package set selected by pip without installation. Supports various sandbox modes for secure resolution. ```python from trustcheck import PipResolver, TargetEnvironment resolution = PipResolver(sandbox_mode="auto").resolve_requirements_file( "requirements.txt", constraints=["constraints.txt"], target=TargetEnvironment( python_version="3.12", platforms=("manylinux_2_28_x86_64",), implementation="cp", abis=("cp312",), ), ) print(resolution.versions) ``` -------------------------------- ### Run TrustCheck CLI and GitHub Action Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/index.md Basic usage of the CLI and the GitHub Action for CI/CD integration. ```bash trustcheck inspect sampleproject --version 4.0.0 ``` ```yaml steps: - uses: actions/checkout@v7 - uses: Halfblood-Prince/trustcheck@v2 with: target: requirements.txt policy: strict ``` -------------------------------- ### Inspect packages with Python API Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/index.md Use the inspect_package function to retrieve security reports for specific package versions. Ensure the package is installed or accessible in your environment. ```python from trustcheck import inspect_package report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True) print(report.recommendation) print(report.to_dict()["report"]["coverage"]["status"]) print(report.dependency_summary.highest_risk_recommendation) ``` -------------------------------- ### Inspect lockfile dependencies Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Retrieve exact version information from supported lockfiles. ```bash trustcheck inspect -f pylock.toml --with-transitive-deps trustcheck scan -f Pipfile.lock ``` -------------------------------- ### Verify source repository Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Ensure the package originates from the expected repository URL. ```bash trustcheck inspect sampleproject \ --version 4.0.0 \ --expected-repo https://github.com/pypa/sampleproject ``` -------------------------------- ### Inspect Packages Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/index.md Commands to inspect package metadata, repositories, and dependency trees. ```bash trustcheck inspect requests ``` ```bash trustcheck inspect sampleproject \ --version 4.0.0 \ --expected-repo https://github.com/pypa/sampleproject ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --format json ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --with-deps ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps ``` ```bash trustcheck inspect -f uv.lock --with-transitive-deps ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --inspect-artifacts --verbose ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --strict ``` -------------------------------- ### Configure Trustcheck with TOML Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/configuration.md Define project settings using TOML format. The structure differs slightly between pyproject.toml and standalone configuration files. ```toml [tool.trustcheck] policy = "strict" with_osv = true with_kev = true scan_profile = "standard" artifact_scope = "target" [tool.trustcheck.network] timeout = 20.0 retries = 4 cache_dir = ".trustcheck-cache" ``` ```toml policy = "strict" with_osv = true with_kev = true scan_profile = "standard" artifact_scope = "target" [network] timeout = 20.0 retries = 4 cache_dir = ".trustcheck-cache" ``` -------------------------------- ### Inspect a package Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Basic inspection of a specified package. ```bash trustcheck inspect requests ``` -------------------------------- ### Inspect a project Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Performs an inspection on the specified project. ```bash trustcheck inspect ``` -------------------------------- ### Inspect a package with TrustCheck Source: https://github.com/halfblood-prince/trustcheck/blob/main/web/index.html Run a package inspection with strict policy enforcement to determine if a release is approved for promotion. ```bash trustcheck inspect sampleproject --version 4.0.0 --strict ``` -------------------------------- ### Run Trustcheck via Snap Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Bypass shell PATH lookup by executing the binary directly through Snap. ```bash snap run trustcheck inspect requests ``` -------------------------------- ### Run Trustcheck Benchmark Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/benchmarks.md Executes the performance and correctness comparison against pip-audit. ```bash python benchmarks/benchmark_against_pip_audit.py ``` -------------------------------- ### Execute Package Check via Adapter Source: https://github.com/halfblood-prince/trustcheck/blob/main/plugins/trustcheck-gate/skills/trustcheck-gate/SKILL.md Use this JSON structure to request a package security evaluation through the Trustcheck adapter. ```json { "operation": "check_package", "package": "sampleproject", "version": "4.0.0", "policy": "default", "analysis_depth": "standard", "with_osv": true } ``` -------------------------------- ### Execute benchmark against pip-audit Source: https://github.com/halfblood-prince/trustcheck/blob/main/benchmarks/README.md Run the benchmark script with specified warmups and iterations to generate performance and correctness results. ```bash python benchmarks/benchmark_against_pip_audit.py \ --warmups 1 \ --iterations 5 \ --evidence-iterations 5 \ --output benchmarks/results/latest.json ``` -------------------------------- ### Audit environments and packages Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Audit the active environment or specific site-packages directories, and inspect wheel or sdist contents. ```bash trustcheck environment ``` ```bash trustcheck environment --path .venv/lib/python3.12/site-packages ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --inspect-artifacts --verbose ``` -------------------------------- ### Inspect dependency trees Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Examine direct or transitive dependencies for a package or requirements file. ```bash trustcheck inspect sampleproject --version 4.0.0 --with-deps ``` ```bash trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps ``` ```bash trustcheck inspect -f requirements.txt ``` -------------------------------- ### Compare Dependency Graphs with Trustcheck Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Compare old and new dependency lockfiles to identify changes in trust evidence. Use the --manifest flag to enforce an existing baseline. ```bash trustcheck diff requirements-old.lock requirements-new.lock trustcheck diff requirements-old.lock requirements-new.lock \ --manifest trustcheck.manifest.json \ --format markdown trustcheck diff --base origin/main --head HEAD --github-pr --comment ``` -------------------------------- ### Inspect a supported lockfile Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Analyze lockfiles to verify exact versions, hashes, and artifact details. ```bash trustcheck inspect -f uv.lock --with-transitive-deps ``` -------------------------------- ### Inspect a package with a progress callback Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Use a callback function to monitor the progress of package inspection by tracking the current file index and total count. ```python from trustcheck import inspect_package def on_progress(filename: str, index: int, total: int) -> None: print(f"[{index}/{total}] verifying {filename}") report = inspect_package( "sampleproject", version="4.0.0", progress_callback=on_progress, ) ``` -------------------------------- ### Configure Trustcheck with JSON Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/configuration.md Define advanced network, advisory, and performance settings using a JSON configuration file. ```json { "network": { "timeout": 20.0, "retries": 4, "backoff_factor": 0.5, "cache_dir": ".trustcheck-cache" }, "advisories": { "osv": true, "osv_urls": ["https://advisories.example.com"], "ecosystems": true, "kev": true, "kev_url": "https://www.cisa.gov/example/known_exploited.json", "epss": true, "epss_url": "https://api.first.org/data/v1/epss" }, "performance": { "max_workers": 8 } } ``` -------------------------------- ### Run a resumable scan with advisory snapshots Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Execute a bounded scan that can be resumed and generate a signed advisory snapshot. ```bash trustcheck scan -f requirements.txt \ --with-osv \ --workers 8 \ --resume-state .trustcheck/scan-state.json \ --write-advisory-snapshot .trustcheck/advisories.json \ --sign-advisory-snapshot ``` -------------------------------- ### Scan with artifact scope Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Perform a strict whole-release review using a requirements lock file. ```bash trustcheck scan -f requirements.lock --full --artifact-scope all --strict ``` -------------------------------- ### Inspect project dependencies Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Examine dependencies declared in a TOML project file. ```bash trustcheck inspect -f pyproject.toml ``` -------------------------------- ### Run system diagnostics Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Execute the doctor command to verify local prerequisites before performing dependency resolution or provenance verification. ```bash trustcheck doctor ``` -------------------------------- ### Scan with policy bundle Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Apply a predefined policy bundle during the scan process. ```bash trustcheck scan -f requirements.txt --policy release-gate ``` -------------------------------- ### Scan requirements with summary Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Perform a scan on a requirements file and output only the gate decision fields. ```bash trustcheck scan -f requirements.txt --summary ``` -------------------------------- ### Inspect full dependency tree Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Inspects the entire dependency tree including transitive dependencies. ```bash trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps ``` -------------------------------- ### Scan dependency files Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Scan requirements or TOML files to generate dependency reports in JSON format. ```bash trustcheck scan -f requirements.txt --format json ``` -------------------------------- ### Compare dependency updates Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Reviews changes between dependency files or Git references. ```bash trustcheck diff requirements-old.lock requirements-new.lock trustcheck diff --base origin/main --head HEAD --github-pr ``` -------------------------------- ### Inspect package releases Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Retrieve information about the latest or specific versions of a package. ```bash trustcheck inspect requests ``` ```bash trustcheck inspect sampleproject --version 4.0.0 ``` -------------------------------- ### Scan with sandbox and constraints Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Performs scans using sandboxing or specific constraint files. ```bash trustcheck scan -f requirements.txt --sandbox auto ``` ```bash trustcheck scan -f requirements.txt --constraint constraints.txt ``` -------------------------------- ### Plan dependency fixes Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Plan secure dependency changes and output remediation reports without modifying files. ```bash trustcheck scan -f requirements.txt \ --with-osv \ --plan-fixes \ --remediation-output reports/remediation.json ``` -------------------------------- ### Apply Custom Inspection Policies Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Use a custom JSON policy file to define specific inspection rules for a package. ```bash trustcheck inspect sampleproject --version 4.0.0 --policy-file ./policy.json ``` -------------------------------- ### Display verbose evidence Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Show detailed per-file evidence during an inspection. ```bash trustcheck inspect sampleproject --version 4.0.0 --verbose ``` -------------------------------- ### Inspect direct dependencies Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Inspects direct dependencies for a specific project version. ```bash trustcheck inspect sampleproject --version 4.0.0 --with-deps ``` -------------------------------- ### Configure advisory services Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md JSON configuration to enable advisory services and override enrichment endpoints. ```json { "advisories": { "osv": true, "osv_urls": ["https://advisories.example.com"], "ecosystems": true, "kev": true, "kev_url": "https://www.cisa.gov/example/known_exploited.json", "epss": true, "epss_url": "https://api.first.org/data/v1/epss" } } ``` -------------------------------- ### Inspect requirements with trusted projects Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Use the inspect command to validate dependencies from a requirements file while specifying trusted project names. ```bash trustcheck inspect -f requirements.txt \ --trusted-project internal-sdk \ --trusted-project internal-auth ``` -------------------------------- ### Scan a private index Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Scan dependencies from private indexes while configuring authentication via keyring providers. ```bash trustcheck scan -f requirements.txt \ --index-url https://username@packages.example.com/simple \ --keyring-provider subprocess ``` -------------------------------- ### Run Trustcheck as a GitHub Action Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Integrate Trustcheck into CI/CD pipelines to scan dependency files and generate reports. ```yaml steps: - uses: actions/checkout@v7 - uses: Halfblood-Prince/trustcheck@v2 with: target: requirements.txt policy: strict ``` -------------------------------- ### Scan a project Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Performs a vulnerability scan on the specified project. ```bash trustcheck scan ``` -------------------------------- ### Analyze Impact and Repair Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/index.md Prioritize vulnerabilities based on usage or plan dependency fixes. ```bash trustcheck impact -f requirements.lock --source . ``` ```bash trustcheck scan -f requirements.txt --with-osv --plan-fixes trustcheck scan -f uv.lock --with-osv --fix --dry-run ``` -------------------------------- ### Verify package repository Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/guides/ci-integration.md Applies repository verification to a package target. This configuration is rejected if the target is a file. ```yaml - uses: Halfblood-Prince/trustcheck@v2 with: target: sampleproject expected-repo: https://github.com/pypa/sampleproject policy: strict ``` -------------------------------- ### Accessing TrustReport Fields Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Iterate through risk flags, file provenance, and dependency metadata after inspecting a package. ```python from trustcheck import inspect_package report = inspect_package("sampleproject", version="4.0.0") for flag in report.risk_flags: print(flag.severity, flag.code, flag.message) for file in report.files: print(file.filename, file.verified, file.error) for provenance in file.slsa_provenance: print( provenance.source_repository, provenance.source_commit, provenance.builder_id, ) for dependency in report.dependencies: print(dependency.project, dependency.depth, dependency.recommendation, dependency.error) ``` -------------------------------- ### Scan with OSV integration Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Query OSV alongside PyPI to retrieve source, severity, and advisory information. ```bash trustcheck scan jinja2 --version 2.10.0 --with-osv ``` -------------------------------- ### Emit machine-readable JSON Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Use the inspect command to output project metadata in JSON format for a specific version. ```bash trustcheck inspect sampleproject --version 4.0.0 --format json ``` -------------------------------- ### Scan with multiple advisory providers Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Query all built-in advisory providers and enrich CVE aliases. ```bash trustcheck scan jinja2 \ --version 2.10.0 \ --with-osv \ --with-ecosystems \ --with-kev \ --with-epss ``` -------------------------------- ### Apply custom policy file Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/guides/ci-integration.md Uses a repository-relative JSON file for policy enforcement, following the same schema as the CLI --policy-file option. ```yaml - uses: Halfblood-Prince/trustcheck@v2 with: target: pyproject.toml policy: .github/trustcheck-policy.json ``` -------------------------------- ### Scan project with vulnerability filters Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Scan a project for vulnerabilities with specific versioning and performance flags. ```bash trustcheck scan sampleproject --version 4.0.0 --fast ``` -------------------------------- ### Manage advisory snapshots with CLI Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/performance-extensibility.md Commands for generating a signed advisory snapshot and performing an offline scan using that snapshot. ```bash trustcheck scan -f requirements.txt \ --with-osv \ --write-advisory-snapshot .trustcheck/advisories.json \ --sign-advisory-snapshot trustcheck scan -f requirements.txt \ --offline \ --cache-dir .trustcheck/cache \ --advisory-snapshot .trustcheck/advisories.json \ --advisory-snapshot-identity \ https://github.com/example/project/.github/workflows/snapshot.yml@refs/heads/main \ --advisory-snapshot-issuer https://token.actions.githubusercontent.com \ --max-advisory-age 24 ``` -------------------------------- ### Require a repository match Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Enforce repository verification to ensure the package originates from the expected source before proceeding. ```python from trustcheck import inspect_package report = inspect_package( "sampleproject", version="4.0.0", expected_repository="https://github.com/pypa/sampleproject", ) if report.recommendation in {"review-required", "high-risk"}: raise SystemExit("package trust review required") ``` -------------------------------- ### Configure minimal dependency gate Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/guides/ci-integration.md Use this step to enforce strict policy evaluation on a requirements file. Requires actions/checkout for file-based targets. ```yaml steps: - uses: actions/checkout@v7 - uses: Halfblood-Prince/trustcheck@v2 with: target: requirements.txt policy: strict sandbox: auto ``` -------------------------------- ### Generate SBOM, VEX, and Markdown reports Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/cli/index.md Produces various industry-standard security and documentation formats from scan or environment data. ```bash trustcheck scan -f pylock.toml --format cyclonedx-json \ --output-file reports/trustcheck.cdx.json trustcheck environment --format cyclonedx-xml \ --output-file reports/environment.cdx.xml trustcheck scan -f requirements.txt --format spdx-json \ --output-file reports/trustcheck.spdx.json trustcheck scan -f requirements.txt --format openvex \ --output-file reports/trustcheck.openvex.json trustcheck scan -f requirements.txt --format markdown \ --output-file reports/trustcheck.md ``` -------------------------------- ### Configure Pre-commit Hook Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Configuration for integrating Trustcheck into a pre-commit workflow. ```yaml repos: - repo: https://github.com/Halfblood-Prince/trustcheck rev: v2 hooks: - id: trustcheck ``` -------------------------------- ### Inspect package and validate schema Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Perform a package inspection and verify the resulting report against the library's JSON schema. ```python from trustcheck import JSON_SCHEMA_VERSION, TrustReport, get_json_schema, inspect_package report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True) payload = report.to_dict() assert payload["schema_version"] == JSON_SCHEMA_VERSION schema = get_json_schema() assert schema["$id"] ``` -------------------------------- ### Verify source and release provenance Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Validate that the source and release provenance match for a specific package version and tag. ```bash trustcheck inspect sampleproject \ --version 4.0.0 \ --source-release-provenance \ --release-tag v4.0.0 ``` -------------------------------- ### Resume a scan with state file Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/performance-extensibility.md Use the --resume-state flag to checkpoint scan progress and resume from the last successful target. ```bash trustcheck scan -f requirements.txt \ --with-osv \ --resume-state .trustcheck/scan-state.json ``` -------------------------------- ### Scan requirements file Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/getting-started/quickstart.md Audits dependencies defined in a requirements file. ```bash trustcheck scan -f requirements.txt ``` -------------------------------- ### Plan remediation Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/guides/ci-integration.md Generates a machine-readable patch bundle for identified vulnerabilities. ```yaml - uses: Halfblood-Prince/trustcheck@v2 with: target: requirements.txt with-osv: "true" remediation: plan remediation-path: reports/remediation.json ``` -------------------------------- ### Inspect package via Python API Source: https://github.com/halfblood-prince/trustcheck/blob/main/README.md Use the Trustcheck Python library to inspect a package and access the recommendation programmatically. ```python from trustcheck import inspect_package report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True) print(report.recommendation) ``` -------------------------------- ### inspect_package(project, version, include_dependencies=False, include_transitive_dependencies=False, expected_repository=None) Source: https://github.com/halfblood-prince/trustcheck/blob/main/docs/reference/python-api.md Inspects a specific package version to generate a trust report, including optional dependency and transitive dependency analysis. ```APIDOC ### Function: inspect_package #### Description Generates a TrustReport for a given project and version. Supports dependency inspection and repository validation. #### Parameters - **project** (str) - Required - The name of the package to inspect. - **version** (str) - Required - The version of the package to inspect. - **include_dependencies** (bool) - Optional - Whether to include direct dependencies in the report. - **include_transitive_dependencies** (bool) - Optional - Whether to include the full transitive dependency tree. - **expected_repository** (str) - Optional - A URL string to verify the package repository match. ```