Config and offline mode¶
Trustcheck discovers reusable project settings and combines them with environment variables and CLI flags.
Config file shape¶
Configuration is discovered in this order:
- an explicit
--config-file PATH .trustcheck.tomlin the current directory[tool.trustcheck]inpyproject.toml
Explicit files may be JSON, standalone TOML, or pyproject.toml. The existing
JSON shape remains supported. The network, advisories, and performance
fields, when present, must be objects or TOML tables.
Project-level TOML example:
[tool.trustcheck]
policy = "strict"
with_osv = true
with_kev = true
scan_profile = "standard"
artifact_scope = "target"
dynamic_analysis = false
dynamic_python = "3.12"
[tool.trustcheck.network]
timeout = 20.0
retries = 4
cache_dir = ".trustcheck-cache"
The equivalent standalone .trustcheck.toml omits the tool.trustcheck
prefix:
policy = "strict"
with_osv = true
with_kev = true
scan_profile = "standard"
artifact_scope = "target"
dynamic_analysis = false
dynamic_python = "3.12"
[network]
timeout = 20.0
retries = 4
cache_dir = ".trustcheck-cache"
Supported project-level settings are policy, with_osv, with_kev,
scan_profile, artifact_scope, dynamic_analysis, dynamic_python, and
dynamic_image. Existing provider, performance, and network settings use their
nested tables. dynamic_image, when set, must be pinned by a full sha256
digest.
JSON example:
{
"network": {
"timeout": 20.0,
"retries": 4,
"backoff_factor": 0.5,
"cache_dir": ".trustcheck-cache"
},
"advisories": {
"osv": true,
"osv_urls": ["https://advisories.example.com"],
"ecosystems": true,
"kev": true,
"kev_url": "https://www.cisa.gov/example/known_exploited.json",
"epss": true,
"epss_url": "https://api.first.org/data/v1/epss"
},
"performance": {
"max_workers": 8
}
}
Advisory settings:
osv: enable the public OSV providerosv_urls: additional OSV-compatible API base URLsecosystems: enable the Ecosyste.ms OSV-compatible providerkev: enable CISA Known Exploited Vulnerabilities enrichmentkev_url: override the KEV JSON feed URLepss: enable FIRST EPSS enrichmentepss_url: override the EPSS API base URL
CLI provider flags are additive with config-file providers. Duplicate base URLs are queried once.
Environment variables¶
The CLI also recognizes these environment variables:
TRUSTCHECK_TIMEOUTTRUSTCHECK_RETRIESTRUSTCHECK_BACKOFFTRUSTCHECK_CACHE_DIRTRUSTCHECK_OFFLINETRUSTCHECK_MAX_WORKERSTRUSTCHECK_POLICYTRUSTCHECK_WITH_OSVTRUSTCHECK_WITH_KEVTRUSTCHECK_SCAN_PROFILETRUSTCHECK_ARTIFACT_SCOPETRUSTCHECK_DYNAMIC_ANALYSISTRUSTCHECK_DYNAMIC_PYTHONTRUSTCHECK_DYNAMIC_IMAGE
Precedence¶
All supported settings use this precedence:
- CLI flags
- environment variables
- discovered or explicit project configuration
- built-in defaults
Offline mode¶
Use --offline when you want trustcheck to use cached responses only and avoid live network requests.
Example:
trustcheck inspect sampleproject \
--version 4.0.0 \
--cache-dir .trustcheck-cache \
--offline
Offline mode is useful in hermetic CI or for repeated local analysis after an initial cached run. PyPI responses use a SHA-256 content-addressed persistent cache with integrity verification.
Use repeatable --advisory-snapshot PATH for portable advisory data and
--write-advisory-snapshot PATH to create or update a snapshot. KEV and EPSS
data included in normalized snapshot records remains available offline.
Missing package metadata or artifacts still fail closed.
scan and environment can checkpoint target reports with
--resume-state PATH. State is reused only when the source, resolved targets,
policy, providers, indexes, and plugins produce the same fingerprint.
See Performance and extensibility for cache layout, batching, resume semantics, and plugin entry points.