Skip to content

Quickstart

Inspect the latest release

trustcheck inspect requests

Inspect a specific version

trustcheck inspect sampleproject --version 4.0.0

Show only known vulnerabilities

trustcheck inspect sampleproject --version 4.0.0 --cve

Require a known source repository

trustcheck inspect sampleproject \
  --version 4.0.0 \
  --expected-repo https://github.com/pypa/sampleproject

Show per-file evidence

trustcheck inspect sampleproject --version 4.0.0 --verbose

Inspect direct dependencies too

trustcheck inspect sampleproject --version 4.0.0 --with-deps

Inspect the full dependency tree

trustcheck inspect sampleproject --version 4.0.0 --with-transitive-deps

Scan a requirements-style file

trustcheck scan requirements.txt

Scan a TOML dependency file

trustcheck scan pyproject.toml

When dependency inspection is enabled, the text report adds a dependency summary with the number of declared and inspected dependencies, the maximum traversal depth, and the highest-risk dependency recommendation observed in the set. --with-deps inspects only direct dependencies. --with-transitive-deps continues recursively through nested dependencies too.

Emit machine-readable JSON

trustcheck inspect sampleproject --version 4.0.0 --format json

To emit combined JSON for every package in a requirements-style or TOML dependency file:

trustcheck scan requirements.txt --format json

To emit only the known vulnerability records in JSON:

trustcheck inspect sampleproject --version 4.0.0 --cve --format json

Enforce a conservative gate

trustcheck inspect sampleproject --version 4.0.0 --strict

What to look for

A strong result usually includes:

  • verified provenance for all discovered release artifacts
  • publisher identity details tied to a repository and workflow
  • no high-severity risk flags
  • no repository mismatch against your expected source

A weaker but still potentially acceptable result is metadata-only, which means trustcheck did not obtain a fully verified artifact set but also did not detect enough risk to escalate the release.

A review-required result can include packages that publish no provenance at all. That is weaker than a fully verified release, but it is intentionally distinct from stronger negative evidence such as failed verification or mismatched provenance.