TrustScopeGitHub ↗
Built on the OpenSSF Scorecard

Know how much you can trust an open-source project — before you adopt it.

Paste a public GitHub repo. TrustScope returns a four-pillar trust report with constructive, upstream-friendly fixes — and no misleading single score.

Try ossf/scorecard or sindresorhus/got. No sign-in needed to read a report.

Four questions, four pillars — one synthesis

Pillar 1· Is it well-built?

Functional Quality

Honestly marked “not assessed”. Whether software is good is a hands-on judgement — we never fake it from automated signals.

Pillar 2· Is it built securely?

Security & Supply Chain

The full OpenSSF Scorecard — token permissions, pinned dependencies, SAST, signed releases, and more.

Pillar 3· Can I trust the project behind it?

Trust & Governance

License, security policy, who owns it, and whether there is a way to reach them when something breaks.

Pillar 4· Will it be here in a year?

Community & Sustainability

Maintenance, contributors, and recent activity — read as a lifecycle stage, never as a grade.

How it works

1

Paste a repo

Any public GitHub repository — URL or owner/repo.

2

We assess it

OpenSSF Scorecard plus GitHub governance and lifecycle signals.

3

Read four pillars

Per-pillar findings and constructive fixes — no single grade.

4

Send fixes upstream

File a friendly, attributed issue as yourself.

Why no single score?

Each pillar answers a different question. A brilliant, secure library maintained by one person is not “7 out of 10” — it is strong on security and early on community. Collapsing that into one number hides exactly the trade-off you are trying to weigh. So we don't.