Know how much you can trust an open-source project — before you adopt it.
Paste a public GitHub repo. TrustScope returns a four-pillar trust report with constructive, upstream-friendly fixes — and no misleading single score.
Try ossf/scorecard or sindresorhus/got. No sign-in needed to read a report.
Four questions, four pillars — one synthesis
Functional Quality
Honestly marked “not assessed”. Whether software is good is a hands-on judgement — we never fake it from automated signals.
Security & Supply Chain
The full OpenSSF Scorecard — token permissions, pinned dependencies, SAST, signed releases, and more.
Trust & Governance
License, security policy, who owns it, and whether there is a way to reach them when something breaks.
Community & Sustainability
Maintenance, contributors, and recent activity — read as a lifecycle stage, never as a grade.
How it works
Paste a repo
Any public GitHub repository — URL or owner/repo.
We assess it
OpenSSF Scorecard plus GitHub governance and lifecycle signals.
Read four pillars
Per-pillar findings and constructive fixes — no single grade.
Send fixes upstream
File a friendly, attributed issue as yourself.
Why no single score?
Each pillar answers a different question. A brilliant, secure library maintained by one person is not “7 out of 10” — it is strong on security and early on community. Collapsing that into one number hides exactly the trade-off you are trying to weigh. So we don't.