Bodo, the TrustScope mascotTrustScope
How TrustScope works

A deterministic trust report for open-source projects.

TrustScope checks a public GitHub repository and reflects it back across four pillars — security & supply chain, governance, and community — without hiding the trade-offs behind a single score.

The problem

Adopting an open-source tool means running someone else's code in your own supply chain — and deciding how far to trust it. A star count or a green badge says little about that. The questions that actually matter — Is it built securely? Is there a reliable project behind it? Will it still be maintained in a year? — stay unanswered, or vanish behind one number.

The four pillars

TrustScope answers each question separately, because each one is different.

Pillar 1· Is it built securely?

Security & Supply Chain

The full OpenSSF Scorecard: branch protection, pinned dependencies, token permissions, SAST, signed releases, dependency-update tooling, and more — the checks that decide how safe it is to pull into your build.

Pillar 2· Can I trust the project behind it?

Trust & Governance

License, security policy, and the responsible owner — is there a way to reach someone when something breaks, and are the rules of engagement clear? The project behind the code matters as much as the code.

Pillar 3· Will it be here in a year?

Community & Sustainability

Maintenance cadence, contributors, and recent activity — read as a lifecycle stage, never as a grade. A one-maintainer library early in its life is not “failing”; it is simply young.

Pillar 4· Is it well-built?

Functional Quality

Honestly left open. Whether software is genuinely well-made is a hands-on craft judgement — so TrustScope marks this pillar “not assessed” rather than faking it from automated signals.

Why no single score?

Because each pillar answers a different question. A brilliant, secure library maintained by one person is not “7 out of 10” — it is strong on security and early on community. Collapsing that into one number hides exactly the trade-off you are trying to weigh. So TrustScope doesn't.

How it works

1

Paste a public repository

Any public GitHub repo — a full URL or just owner/repo.

2

We assess it deterministically

TrustScope runs the OpenSSF Scorecard and reads public GitHub governance and lifecycle signals. Same repo, same report — reproducible.

3

Read the four pillars

Per-pillar findings, each answering its own question — with the trade-offs kept visible instead of averaged away.

4

Send fixes upstream, as yourself

Every finding comes with a constructive suggestion. File them as a friendly GitHub issue in one click — as yourself, with a visible “via TrustScope” footer. Never a bot.

Open, deterministic, upstream-friendly

Deterministic. The same repository produces the same report — the assessment is grounded in the OpenSSF Scorecard and public GitHub data, not in opinion.

Constructive by default. Every finding is paired with a concrete fix and framed as a suggestion, not a verdict. When you file it upstream, the issue is opened as you — with a visible “via TrustScope” attribution — so real improvements trace back to a real person.

Open source. TrustScope is MIT-licensed and public on GitHub. An open-source trust report by Neckarshore AI — and it runs on itself.