Skip to content

Benchmarks

Trustcheck publishes a reproducible fixed-input performance and correctness comparison of trustcheck scan against the workflow-pinned pip-audit 2.10.1. The benchmark uses a versioned corpus manifest and the OSV advisory service for both tools. Only those two command paths contribute timing or correctness samples. The Trustcheck command explicitly uses --fast, limiting it to advisory lookup and lockfile/requirements parsing for an apples-to-apples comparison.

The corpus is benchmarks/corpus/corpus.json. Version 2026.06 contains 135 package entries: 100 mixed clean and historically vulnerable PyPI pins, marker and extra cases, private-index inputs, pip-tools, PEP 751, uv, Poetry, and PDM lockfiles, VCS and editable dependencies, intentionally malformed requirements, and dedicated resolution/profile evidence cases. Direct timing and correctness use only cases marked compare_with_pip_audit.

Comparable requirements cases audit their declared pins directly. Trustcheck and pip-audit both use --no-deps, and pip-audit also uses --disable-pip, so historical releases do not execute build backends or need to resolve into one compatible environment. The README table is therefore a fixed-input --no-deps comparison, not a full dependency-resolution benchmark.

Correctness is alias-aware: advisories match when any normalized CVE, GHSA, PYSEC, or provider ID overlaps. The raw unmatched records remain in the JSON result so agreement cannot hide feed or normalization differences. Recall is measured against the signed benchmarks/corpus/truth.json, which contains independently curated vulnerable and clean package-version pairs, aliases, fixed versions, withdrawals, markers, extras, and private-index cases. truth.json.sig is verified with the checked-in public key before a benchmark runs. The manifest's minimum recall and maximum false-positive gates make the benchmark exit nonzero on a Trustcheck regression.

Separate evidence suites publish complete dependency resolution and Trustcheck standard/full profile results. Every suite records cold-cache and warm-cache p50/p95, peak RSS, request samples where the tool reports them, and exact commands. Resolution evidence compares complete package/version sets. Advisory recall uses the signed curated truth corpus as its reference. Profile evidence records how many artifacts had provenance, verification, static inspection, native analysis, and heuristic findings. Trustcheck request counts come from report diagnostics; pip-audit request counts are null because the tool does not expose that measurement.

The benchmark workflow runs manually, after the release workflow completes, and on a weekly schedule. It publishes the raw JSON as a retained workflow artifact and prints the generated README evidence table into the workflow summary for maintainer review. Publication requires at least five warm samples per tool, a signed truth corpus with declared correctness gates, no truth-corpus regressions, and no one-sided advisory findings. Local runs default to benchmarks/results/latest.json; commit or publish that file only when it was regenerated from the current corpus and environment. pip-audit exits 1 when it finds vulnerabilities; trustcheck scan exits 0 here because the benchmark intentionally uses its default non-blocking policy. Commands that return an accepted exit code but no output are retried twice; the result records this setting and includes retry time in the timing sample.

python benchmarks/benchmark_against_pip_audit.py

Wall-time results include package metadata and advisory requests plus output generation. The benchmark reports observed performance rather than claiming feature-equivalent work.

Malicious-package calibration

The pip-audit benchmark does not calibrate malicious-package scoring because it runs trustcheck scan --fast and excludes artifact, history, AST, native binary, and dynamic-analysis heuristics. The seed manifest for that separate security milestone is benchmarks/corpus/malicious-calibration.json.

That manifest is versioned and defines required strata for known malicious PyPI releases, typo-squats, benign native-extension packages, legitimate packages that use powerful capabilities, and deliberately weird but harmless academic or development packages. It is currently marked seed-unmeasured; until reviewed entries and a reproducible runner are published, malicious-package confidence and false-positive values remain estimated rule priors rather than empirical measurements.

Acceptance matrix

The Acceptance Matrix workflow is separate from fast pull-request and push CI. It runs nightly and manually across Linux, macOS, Windows, and every supported Python version. Each job executes one real trustcheck scan case from scripts/acceptance_matrix.py and uploads the rendered report.

The matrix covers selected public packages and corpus fixtures for pip-tools, uv, Poetry, PDM, PEP 751 pylock.toml, extras and markers, private-index directives, native wheels, and sdists. The private-index fixture accepts the expected upstream failure for intentionally internal package names but still requires a rendered report.