A deterministic trust report for open-source projects.
TrustScope checks a public GitHub repository and reflects it back across four pillars — security & supply chain, governance, and community — without hiding the trade-offs behind a single score.
The problem
Adopting an open-source tool means running someone else's code in your own supply chain — and deciding how far to trust it. A star count or a green badge says little about that. The questions that actually matter — Is it built securely? Is there a reliable project behind it? Will it still be maintained in a year? — stay unanswered, or vanish behind one number.
The four pillars
TrustScope answers each question separately, because each one is different.
Security & Supply Chain
The full OpenSSF Scorecard: branch protection, pinned dependencies, token permissions, SAST, signed releases, dependency-update tooling, and more — the checks that decide how safe it is to pull into your build.
Trust & Governance
License, security policy, and the responsible owner — is there a way to reach someone when something breaks, and are the rules of engagement clear? The project behind the code matters as much as the code.
Community & Sustainability
Maintenance cadence, contributors, and recent activity — read as a lifecycle stage, never as a grade. A one-maintainer library early in its life is not “failing”; it is simply young.
Functional Quality
Honestly left open. Whether software is genuinely well-made is a hands-on craft judgement — so TrustScope marks this pillar “not assessed” rather than faking it from automated signals.
Why no single score?
Because each pillar answers a different question. A brilliant, secure library maintained by one person is not “7 out of 10” — it is strong on security and early on community. Collapsing that into one number hides exactly the trade-off you are trying to weigh. So TrustScope doesn't.
How it works
Paste a public repository
Any public GitHub repo — a full URL or just owner/repo.
We assess it deterministically
TrustScope runs the OpenSSF Scorecard and reads public GitHub governance and lifecycle signals. Same repo, same report — reproducible.
Read the four pillars
Per-pillar findings, each answering its own question — with the trade-offs kept visible instead of averaged away.
Send fixes upstream, as yourself
Every finding comes with a constructive suggestion. File them as a friendly GitHub issue in one click — as yourself, with a visible “via TrustScope” footer. Never a bot.
Open, deterministic, upstream-friendly
Deterministic. The same repository produces the same report — the assessment is grounded in the OpenSSF Scorecard and public GitHub data, not in opinion.
Constructive by default. Every finding is paired with a concrete fix and framed as a suggestion, not a verdict. When you file it upstream, the issue is opened as you — with a visible “via TrustScope” attribution — so real improvements trace back to a real person.
Open source. TrustScope is MIT-licensed and public on GitHub. An open-source trust report by Neckarshore AI — and it runs on itself.