trustcheck 2.1.2__tar.gz → 2.2.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (242) hide show
  1. trustcheck-2.2.0/.github/workflows/acceptance-matrix.yml +56 -0
  2. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/benchmarks.yml +6 -0
  3. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/ci.yml +3 -3
  4. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/codeql.yml +3 -3
  5. trustcheck-2.2.0/.github/workflows/plagiarism-scan.yml +128 -0
  6. trustcheck-2.2.0/.github/workflows/post-release-parity.yml +90 -0
  7. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/publish.yml +4 -4
  8. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/sarif-integration.yml +1 -1
  9. {trustcheck-2.1.2 → trustcheck-2.2.0}/CHANGELOG.md +32 -2
  10. trustcheck-2.2.0/MANIFEST.in +2 -0
  11. {trustcheck-2.1.2/src/trustcheck.egg-info → trustcheck-2.2.0}/PKG-INFO +160 -21
  12. {trustcheck-2.1.2 → trustcheck-2.2.0}/README.md +159 -20
  13. {trustcheck-2.1.2 → trustcheck-2.2.0}/action.yml +10 -2
  14. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/README.md +16 -7
  15. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/corpus.json +9 -0
  16. trustcheck-2.2.0/benchmarks/corpus/malicious-calibration.json +102 -0
  17. trustcheck-2.2.0/benchmarks/corpus/pdm.lock +22 -0
  18. trustcheck-2.2.0/benchmarks/results/benchmark-public-key.pem +11 -0
  19. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/results/latest.json +339 -866
  20. trustcheck-2.2.0/benchmarks/results/latest.json.sig +1 -0
  21. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/changelog.md +1 -1
  22. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/index.md +67 -3
  23. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/getting-started/quickstart.md +31 -2
  24. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/guides/ci-integration.md +85 -13
  25. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/index.md +32 -3
  26. trustcheck-2.2.0/docs/reference/benchmarks.md +92 -0
  27. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/industry-formats.md +20 -9
  28. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/json-contract.md +11 -9
  29. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/malicious-package-detection.md +28 -3
  30. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/python-api.md +3 -2
  31. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/remediation.md +36 -13
  32. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_exports.py +9 -1
  33. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/action.lock +1 -0
  34. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/ci.in +3 -3
  35. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/ci.lock +22 -23
  36. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/semgrep.in +1 -1
  37. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/semgrep.lock +118 -69
  38. trustcheck-2.2.0/scripts/acceptance_matrix.py +212 -0
  39. trustcheck-2.2.0/scripts/github_plagiarism_scan.py +307 -0
  40. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/update_benchmark_table.py +22 -14
  41. trustcheck-2.2.0/scripts/verify_release_channels.py +361 -0
  42. trustcheck-2.2.0/src/trustcheck/__init__.py +278 -0
  43. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/_version.py +2 -2
  44. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/attestations.py +106 -41
  45. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli.py +866 -7
  46. trustcheck-2.2.0/src/trustcheck/cli_commands/diff.py +408 -0
  47. trustcheck-2.2.0/src/trustcheck/cli_commands/doctor.py +31 -0
  48. trustcheck-2.2.0/src/trustcheck/cli_commands/impact.py +168 -0
  49. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/inspect.py +8 -3
  50. trustcheck-2.2.0/src/trustcheck/cli_commands/install.py +931 -0
  51. trustcheck-2.2.0/src/trustcheck/cli_commands/manifest.py +260 -0
  52. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/scan.py +9 -3
  53. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_render.py +107 -0
  54. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/contract.py +14 -2
  55. trustcheck-2.2.0/src/trustcheck/diff.py +917 -0
  56. trustcheck-2.2.0/src/trustcheck/doctor.py +432 -0
  57. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/export_models.py +9 -0
  58. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/export_xml.py +33 -10
  59. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/exports.py +392 -54
  60. trustcheck-2.2.0/src/trustcheck/impact.py +882 -0
  61. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/malicious.py +33 -33
  62. trustcheck-2.2.0/src/trustcheck/manifest.py +1028 -0
  63. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/policy.py +35 -1
  64. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/provenance.py +182 -0
  65. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/remediation.py +197 -23
  66. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/remediation_models.py +47 -1
  67. trustcheck-2.2.0/src/trustcheck/remediation_render.py +91 -0
  68. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/snapshots.py +35 -7
  69. {trustcheck-2.1.2 → trustcheck-2.2.0/src/trustcheck.egg-info}/PKG-INFO +160 -21
  70. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/SOURCES.txt +24 -0
  71. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/contract_schema.json +2 -0
  72. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_attestations.py +42 -0
  73. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_benchmark_results.py +40 -0
  74. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_ci_workflow.py +82 -1
  75. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_cli.py +276 -1
  76. trustcheck-2.2.0/tests/test_diff.py +816 -0
  77. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_docker_workflows.py +7 -7
  78. trustcheck-2.2.0/tests/test_doctor.py +371 -0
  79. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_edge_cases.py +8 -0
  80. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_exports.py +103 -0
  81. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_github_action.py +16 -0
  82. trustcheck-2.2.0/tests/test_impact.py +633 -0
  83. trustcheck-2.2.0/tests/test_install_command.py +880 -0
  84. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_lockfiles.py +13 -0
  85. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_malicious.py +3 -3
  86. trustcheck-2.2.0/tests/test_manifest.py +818 -0
  87. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_performance_extensibility.py +52 -2
  88. trustcheck-2.2.0/tests/test_plagiarism_scan.py +257 -0
  89. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_provenance.py +95 -1
  90. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_public_api.py +23 -2
  91. trustcheck-2.2.0/tests/test_release_channels.py +160 -0
  92. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_readiness.py +39 -2
  93. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_remediation.py +436 -0
  94. trustcheck-2.1.2/MANIFEST.in +0 -1
  95. trustcheck-2.1.2/benchmarks/results/benchmark-public-key.pem +0 -11
  96. trustcheck-2.1.2/benchmarks/results/latest.json.sig +0 -1
  97. trustcheck-2.1.2/docs/reference/benchmarks.md +0 -60
  98. trustcheck-2.1.2/src/trustcheck/__init__.py +0 -193
  99. trustcheck-2.1.2/src/trustcheck/remediation_render.py +0 -50
  100. {trustcheck-2.1.2 → trustcheck-2.2.0}/.dockerignore +0 -0
  101. {trustcheck-2.1.2 → trustcheck-2.2.0}/.gitattributes +0 -0
  102. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/CODEOWNERS +0 -0
  103. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/ISSUE_TEMPLATE/general.yml +0 -0
  104. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/dependabot.yml +0 -0
  105. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/trustcheck-action-fail-policy.json +0 -0
  106. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/action-integration.yml +0 -0
  107. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/bandit.yml +0 -0
  108. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/binary-security.yml +0 -0
  109. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/docs.yml +0 -0
  110. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/fuzz.yml +0 -0
  111. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/live-integration.yml +0 -0
  112. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/mutation.yml +0 -0
  113. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/semgrep.yml +0 -0
  114. {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/source-build.yml +0 -0
  115. {trustcheck-2.1.2 → trustcheck-2.2.0}/.gitignore +0 -0
  116. {trustcheck-2.1.2 → trustcheck-2.2.0}/.pre-commit-hooks.yaml +0 -0
  117. {trustcheck-2.1.2 → trustcheck-2.2.0}/CONTRIBUTING.md +0 -0
  118. {trustcheck-2.1.2 → trustcheck-2.2.0}/Dockerfile +0 -0
  119. {trustcheck-2.1.2 → trustcheck-2.2.0}/LICENSE +0 -0
  120. {trustcheck-2.1.2 → trustcheck-2.2.0}/SECURITY.md +0 -0
  121. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/benchmark_against_pip_audit.py +0 -0
  122. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/poetry.lock +0 -0
  123. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/pylock.toml +0 -0
  124. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-hashed.txt +0 -0
  125. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-main.txt +0 -0
  126. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-malformed.txt +0 -0
  127. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-markers-extras.txt +0 -0
  128. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-private-index.txt +0 -0
  129. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-profiles.txt +0 -0
  130. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-resolution.txt +0 -0
  131. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-vcs-editable.txt +0 -0
  132. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements.txt +0 -0
  133. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth-public-key.pem +0 -0
  134. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth.json +0 -0
  135. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth.json.sig +0 -0
  136. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/uv.lock +0 -0
  137. {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/measure_command.py +0 -0
  138. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/images/logo-bg-less.png +0 -0
  139. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/images/logo.png +0 -0
  140. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/javascripts/disable-search-shortcut.js +0 -0
  141. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/configuration.md +0 -0
  142. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/exit-codes.md +0 -0
  143. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/policies.md +0 -0
  144. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/getting-started/installation.md +0 -0
  145. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/compatibility.md +0 -0
  146. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/performance-extensibility.md +0 -0
  147. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/recommendations.md +0 -0
  148. {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/trust-model.md +0 -0
  149. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/README.md +0 -0
  150. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_artifacts.py +0 -0
  151. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_indexes.py +0 -0
  152. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_lockfiles.py +0 -0
  153. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_provenance.py +0 -0
  154. {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_requirements.py +0 -0
  155. {trustcheck-2.1.2 → trustcheck-2.2.0}/mkdocs.yml +0 -0
  156. {trustcheck-2.1.2 → trustcheck-2.2.0}/pyproject.toml +0 -0
  157. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/fuzz.in +0 -0
  158. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/fuzz.lock +0 -0
  159. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/runtime.in +0 -0
  160. {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/runtime.lock +0 -0
  161. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/benchmark_signature.py +0 -0
  162. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/build_msix_layout.py +0 -0
  163. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/build_standalone.py +0 -0
  164. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/check_mutation_score.py +0 -0
  165. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/dependency_bounds.py +0 -0
  166. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/smoke_test_distribution.py +0 -0
  167. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/trustcheck_binary.py +0 -0
  168. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/update_coverage_badge.py +0 -0
  169. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/validate_sarif.py +0 -0
  170. {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/verify_release_version.py +0 -0
  171. {trustcheck-2.1.2 → trustcheck-2.2.0}/setup.cfg +0 -0
  172. {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/README.md +0 -0
  173. {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/gui/icon.png +0 -0
  174. {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/snapcraft.yaml +0 -0
  175. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/__main__.py +0 -0
  176. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/_resolver_guard.py +0 -0
  177. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/advisories.py +0 -0
  178. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/artifacts.py +0 -0
  179. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cache.py +0 -0
  180. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/__init__.py +0 -0
  181. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/context.py +0 -0
  182. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/environment.py +0 -0
  183. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_models.py +0 -0
  184. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_runtime.py +0 -0
  185. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_targets.py +0 -0
  186. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/dynamic.py +0 -0
  187. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/github_action.py +0 -0
  188. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/indexes.py +0 -0
  189. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/lockfiles.py +0 -0
  190. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/models.py +0 -0
  191. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/plugins.py +0 -0
  192. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/pre_commit.py +0 -0
  193. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/py.typed +0 -0
  194. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/pypi.py +0 -0
  195. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/resolver.py +0 -0
  196. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/resume.py +0 -0
  197. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/schemas.py +0 -0
  198. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service.py +0 -0
  199. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service_state.py +0 -0
  200. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service_urls.py +0 -0
  201. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/workspace.py +0 -0
  202. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/dependency_links.txt +0 -0
  203. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/entry_points.txt +0 -0
  204. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/requires.txt +0 -0
  205. {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/top_level.txt +0 -0
  206. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/bad-scan.toml +0 -0
  207. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/cache/5e491d79f8ba9e36d864ae50c690989677616cd509e5b99abb9272c8ad976435.json +0 -0
  208. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/config_non_object.json +0 -0
  209. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/empty-scan.toml +0 -0
  210. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/empty-scan.txt +0 -0
  211. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/invalid-scan.txt +0 -0
  212. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/policy_non_object.json +0 -0
  213. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/scan-poetry.toml +0 -0
  214. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/scan-project.toml +0 -0
  215. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/client_config.json +0 -0
  216. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/policy_require_expected_repo.json +0 -0
  217. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/requirements-vulnerable.txt +0 -0
  218. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/report_minimal.json +0 -0
  219. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/report_verified.json +0 -0
  220. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_advisories.py +0 -0
  221. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_artifacts.py +0 -0
  222. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_binary_security_workflow.py +0 -0
  223. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_contract.py +0 -0
  224. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_dependency_bounds.py +0 -0
  225. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_dynamic.py +0 -0
  226. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_indexes.py +0 -0
  227. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_integration_live.py +0 -0
  228. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_msix_packaging.py +0 -0
  229. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_mutation_score.py +0 -0
  230. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_plugin_security.py +0 -0
  231. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_pre_commit.py +0 -0
  232. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_property_invariants.py +0 -0
  233. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_pypi.py +0 -0
  234. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_executable.py +0 -0
  235. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_version.py +0 -0
  236. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_resolver.py +0 -0
  237. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_resolver_guard.py +0 -0
  238. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_sarif_validation.py +0 -0
  239. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_scan_profiles.py +0 -0
  240. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_service.py +0 -0
  241. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_snap_packaging.py +0 -0
  242. {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_workspace.py +0 -0
@@ -0,0 +1,56 @@
1
+ name: Acceptance Matrix
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ schedule:
6
+ - cron: "47 4 * * *"
7
+
8
+ permissions:
9
+ contents: read
10
+
11
+ concurrency:
12
+ group: acceptance-matrix-main
13
+ cancel-in-progress: false
14
+
15
+ jobs:
16
+ acceptance:
17
+ name: ${{ matrix.case }} / ${{ matrix.os }} / Python ${{ matrix.python-version }}
18
+ runs-on: ${{ matrix.os }}
19
+ timeout-minutes: 45
20
+ strategy:
21
+ fail-fast: false
22
+ matrix:
23
+ os: [ubuntu-latest, macos-latest, windows-latest]
24
+ python-version: ["3.11", "3.12", "3.13", "3.14"]
25
+ case: [pip-tools, uv-lock, poetry-lock, pdm-lock, pep751-pylock, extras-markers, private-index-fixture, native-wheel, sdist]
26
+
27
+ steps:
28
+ - name: Check out repository
29
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
30
+ with:
31
+ persist-credentials: false
32
+
33
+ - name: Set up Python
34
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
35
+ with:
36
+ python-version: ${{ matrix.python-version }}
37
+ cache: pip
38
+
39
+ - name: Install acceptance environment
40
+ run: |
41
+ python -m pip install --disable-pip-version-check --require-hashes --requirement requirements/runtime.lock
42
+ python -m pip install --disable-pip-version-check --no-build-isolation --no-deps -e .
43
+ python -m pip check
44
+
45
+ - name: Run acceptance case
46
+ env:
47
+ TRUSTCHECK_RUN_ACCEPTANCE: "1"
48
+ run: python scripts/acceptance_matrix.py --case "${{ matrix.case }}" --report-dir acceptance-reports
49
+
50
+ - name: Upload acceptance report
51
+ if: always()
52
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
53
+ with:
54
+ name: acceptance-${{ matrix.case }}-${{ matrix.os }}-py${{ matrix.python-version }}
55
+ path: acceptance-reports/
56
+ if-no-files-found: warn
@@ -2,6 +2,11 @@ name: Benchmarks
2
2
 
3
3
  on:
4
4
  workflow_dispatch:
5
+ schedule:
6
+ - cron: "23 4 * * 1"
7
+ workflow_run:
8
+ workflows: ["Release"]
9
+ types: [completed]
5
10
 
6
11
  permissions:
7
12
  contents: read
@@ -12,6 +17,7 @@ concurrency:
12
17
 
13
18
  jobs:
14
19
  pip-audit-comparison:
20
+ if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
15
21
  runs-on: ubuntu-latest
16
22
  timeout-minutes: 45
17
23
  steps:
@@ -248,11 +248,11 @@ jobs:
248
248
 
249
249
  - name: Set up Docker Buildx
250
250
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
251
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
251
+ uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
252
252
 
253
253
  - name: Log in to GitHub Container Registry
254
254
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
255
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
255
+ uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
256
256
  with:
257
257
  registry: ghcr.io
258
258
  username: ${{ github.actor }}
@@ -279,7 +279,7 @@ jobs:
279
279
 
280
280
  - name: Build and publish CI Docker image
281
281
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
282
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
282
+ uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
283
283
  with:
284
284
  context: .
285
285
  file: ./Dockerfile
@@ -25,7 +25,7 @@ jobs:
25
25
  fetch-depth: 0
26
26
 
27
27
  - name: Initialize CodeQL
28
- uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
28
+ uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
29
29
  with:
30
30
  languages: python
31
31
 
@@ -35,7 +35,7 @@ jobs:
35
35
  python-version: "3.12"
36
36
 
37
37
  - name: Autobuild
38
- uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
38
+ uses: github/codeql-action/autobuild@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
39
39
 
40
40
  - name: Perform CodeQL analysis
41
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
41
+ uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
@@ -0,0 +1,128 @@
1
+ name: GitHub Code Copy Scan
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ schedule:
6
+ - cron: "37 3 * * *"
7
+
8
+ permissions:
9
+ contents: write
10
+ issues: write
11
+ pull-requests: write
12
+
13
+ concurrency:
14
+ group: github-code-copy-scan
15
+ cancel-in-progress: false
16
+
17
+ jobs:
18
+ scan:
19
+ name: Search GitHub for copied code
20
+ runs-on: ubuntu-latest
21
+
22
+ steps:
23
+ - name: Check out repository
24
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
25
+ with:
26
+ fetch-depth: 0
27
+ persist-credentials: false
28
+
29
+ - name: Set up Python
30
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
31
+ with:
32
+ python-version: "3.12"
33
+
34
+ - name: Search public GitHub code
35
+ env:
36
+ GITHUB_TOKEN: ${{ secrets.TRUSTCHECK_GITHUB_SEARCH_TOKEN || github.token }}
37
+ GITHUB_REPOSITORY: ${{ github.repository }}
38
+ run: |
39
+ python scripts/github_plagiarism_scan.py \
40
+ --source src/trustcheck \
41
+ --output reports/github-code-copy-findings.md \
42
+ --max-fingerprints 20 \
43
+ --per-page 10
44
+
45
+ - name: Open or update findings pull request or issue
46
+ env:
47
+ BRANCH: automation/github-code-copy-findings
48
+ GH_TOKEN: ${{ secrets.TRUSTCHECK_PR_TOKEN || github.token }}
49
+ ISSUE_TITLE: GitHub code copy scan findings
50
+ REPORT_PATH: reports/github-code-copy-findings.md
51
+ run: |
52
+ if [ -z "$(git status --porcelain -- "$REPORT_PATH")" ]; then
53
+ echo "No code-copy finding changes to publish."
54
+ exit 0
55
+ fi
56
+
57
+ git config user.name "github-actions[bot]"
58
+ git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
59
+ git checkout -B "$BRANCH"
60
+ git add "$REPORT_PATH"
61
+ git commit -m "Update GitHub code copy scan findings"
62
+ git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
63
+ git push --force-with-lease origin "$BRANCH"
64
+
65
+ existing_pr="$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
66
+ if [ -n "$existing_pr" ]; then
67
+ gh pr edit "$existing_pr" \
68
+ --title "Update GitHub code copy scan findings" \
69
+ --body-file "$REPORT_PATH"
70
+ else
71
+ pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/new/${BRANCH}"
72
+ create_error="$(mktemp)"
73
+ if gh pr create \
74
+ --base main \
75
+ --head "$BRANCH" \
76
+ --title "Update GitHub code copy scan findings" \
77
+ --body-file "$REPORT_PATH" \
78
+ 2>"$create_error"; then
79
+ exit 0
80
+ fi
81
+
82
+ cat "$create_error"
83
+ if grep -q "not permitted to create" "$create_error"; then
84
+ issue_body="$(mktemp)"
85
+ {
86
+ echo "GitHub Actions pushed the code-copy findings branch, but this repository does not permit Actions to create pull requests."
87
+ echo
88
+ echo "Findings branch: https://github.com/${GITHUB_REPOSITORY}/tree/${BRANCH}"
89
+ echo
90
+ echo "Manual pull request URL: ${pr_url}"
91
+ echo
92
+ cat "$REPORT_PATH"
93
+ } > "$issue_body"
94
+
95
+ existing_issue="$(
96
+ gh issue list \
97
+ --state open \
98
+ --search "${ISSUE_TITLE} in:title" \
99
+ --json number,title \
100
+ --jq ".[] | select(.title == \"${ISSUE_TITLE}\") | .number" \
101
+ | head -n 1
102
+ )"
103
+ if [ -n "$existing_issue" ]; then
104
+ gh issue edit "$existing_issue" \
105
+ --title "$ISSUE_TITLE" \
106
+ --body-file "$issue_body"
107
+ issue_url="https://github.com/${GITHUB_REPOSITORY}/issues/${existing_issue}"
108
+ else
109
+ issue_url="$(
110
+ gh issue create \
111
+ --title "$ISSUE_TITLE" \
112
+ --body-file "$issue_body"
113
+ )"
114
+ fi
115
+
116
+ {
117
+ echo "### GitHub code copy scan findings"
118
+ echo
119
+ echo "The findings branch was pushed, but GitHub Actions is not permitted to create pull requests in this repository."
120
+ echo
121
+ echo "Issue: ${issue_url}"
122
+ echo
123
+ echo "Manual pull request URL: ${pr_url}"
124
+ } >> "$GITHUB_STEP_SUMMARY"
125
+ exit 0
126
+ fi
127
+ exit 1
128
+ fi
@@ -0,0 +1,90 @@
1
+ name: Post-release Channel Parity
2
+
3
+ on:
4
+ workflow_run:
5
+ workflows: ["Release"]
6
+ types: [completed]
7
+ workflow_dispatch:
8
+ inputs:
9
+ tag:
10
+ description: Release tag to verify, such as v2.1.1.
11
+ required: true
12
+ observed-json:
13
+ description: URL or repository path for normalized channel observations.
14
+ required: true
15
+
16
+ permissions:
17
+ contents: read
18
+
19
+ jobs:
20
+ verify-release-channels:
21
+ if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
22
+ runs-on: ubuntu-latest
23
+
24
+ steps:
25
+ - name: Check out repository
26
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
27
+ with:
28
+ persist-credentials: false
29
+
30
+ - name: Set up Python
31
+ uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
32
+ with:
33
+ python-version: "3.12"
34
+
35
+ - name: Resolve release parity inputs
36
+ id: release
37
+ env:
38
+ GH_TOKEN: ${{ github.token }}
39
+ INPUT_TAG: ${{ github.event.inputs.tag }}
40
+ INPUT_OBSERVED_JSON: ${{ github.event.inputs.observed-json }}
41
+ RELEASE_CHANNEL_OBSERVATIONS_URL: ${{ vars.RELEASE_CHANNEL_OBSERVATIONS_URL }}
42
+ run: |
43
+ tag="${INPUT_TAG:-}"
44
+ if [ -z "$tag" ]; then
45
+ tag="$(gh release list --limit 1 --json tagName --jq '.[0].tagName')"
46
+ fi
47
+ if [ -z "$tag" ]; then
48
+ echo "Unable to determine the release tag to verify." >&2
49
+ exit 1
50
+ fi
51
+ observed_json="${INPUT_OBSERVED_JSON:-$RELEASE_CHANNEL_OBSERVATIONS_URL}"
52
+ if [ -z "$observed_json" ]; then
53
+ echo "Set workflow input observed-json or repository variable RELEASE_CHANNEL_OBSERVATIONS_URL." >&2
54
+ exit 1
55
+ fi
56
+ echo "tag=$tag" >> "$GITHUB_OUTPUT"
57
+ echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
58
+ echo "observed_json=$observed_json" >> "$GITHUB_OUTPUT"
59
+
60
+ - name: Download release checksums
61
+ env:
62
+ GH_TOKEN: ${{ github.token }}
63
+ RELEASE_TAG: ${{ steps.release.outputs.tag }}
64
+ run: gh release download "$RELEASE_TAG" --pattern SHA256SUMS.txt --repo "$GITHUB_REPOSITORY"
65
+
66
+ - name: Verify channel parity
67
+ env:
68
+ RELEASE_TAG: ${{ steps.release.outputs.tag }}
69
+ RELEASE_VERSION: ${{ steps.release.outputs.version }}
70
+ OBSERVED_JSON: ${{ steps.release.outputs.observed_json }}
71
+ run: |
72
+ python scripts/verify_release_channels.py \
73
+ --expected-version "$RELEASE_VERSION" \
74
+ --tag "$RELEASE_TAG" \
75
+ --expected-checksums SHA256SUMS.txt \
76
+ --required-channel pypi \
77
+ --required-channel github \
78
+ --required-channel snap \
79
+ --required-channel docker \
80
+ --required-channel homebrew \
81
+ --required-channel winget \
82
+ --expected-architecture docker=linux/amd64 \
83
+ --expected-architecture docker=linux/arm64 \
84
+ --expected-architecture docker=linux/arm/v7 \
85
+ --expected-architecture snap=amd64 \
86
+ --expected-architecture snap=arm64 \
87
+ --expected-architecture snap=armhf \
88
+ --expected-architecture github=windows-x86_64 \
89
+ --release-notes-fragment "Published from immutable commit" \
90
+ --observed-json "$OBSERVED_JSON"
@@ -852,13 +852,13 @@ jobs:
852
852
  persist-credentials: false
853
853
 
854
854
  - name: Set up QEMU for multi-platform builds
855
- uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
855
+ uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
856
856
 
857
857
  - name: Set up Docker Buildx
858
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
858
+ uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
859
859
 
860
860
  - name: Log in to GitHub Container Registry
861
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
861
+ uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
862
862
  with:
863
863
  registry: ghcr.io
864
864
  username: ${{ github.actor }}
@@ -891,7 +891,7 @@ jobs:
891
891
  } >> "$GITHUB_OUTPUT"
892
892
 
893
893
  - name: Build and publish multi-platform Docker images
894
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
894
+ uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
895
895
  with:
896
896
  context: .
897
897
  file: ./Dockerfile
@@ -58,7 +58,7 @@ jobs:
58
58
  --compare trustcheck-second.sarif
59
59
 
60
60
  - name: Upload SARIF to GitHub code scanning
61
- uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
61
+ uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
62
62
  with:
63
63
  sarif_file: trustcheck-first.sarif
64
64
  category: trustcheck-sarif-integration
@@ -6,14 +6,33 @@ The project follows Semantic Versioning for the supported public API described i
6
6
 
7
7
  ## Unreleased
8
8
 
9
+ ## [2.2.0] - 2026-07-05
10
+
11
+ Package release `2.2.0` emits machine-readable report schema `1.11.0`.
12
+
9
13
  ### Added
10
14
 
11
- - Added calibrated malicious-package heuristic metadata, policy-configurable
15
+ - Added malicious-package heuristic rule metadata, policy-configurable
12
16
  aggregate and per-rule thresholds, and advanced the schema to `1.11.0`.
13
17
  - Added opt-in `--dynamic-analysis` execution in a disposable, no-network,
14
18
  non-root Docker sandbox with CPU, memory, process, and wall-clock limits.
19
+ - Added `trustcheck manifest init|verify|update` for dependency trust
20
+ baselines that block repository, Trusted Publisher, SLSA, provenance,
21
+ index-origin, native-binary, dynamic-execution, and malicious-score
22
+ regressions.
23
+ - Added `trustcheck diff` for lockfile and pull-request trust review across
24
+ changed direct and transitive packages, with text, JSON, Markdown, SARIF,
25
+ Git ref discovery, GitHub PR commenting, and optional trust-manifest
26
+ enforcement.
27
+ - Added `trustcheck doctor`, concise `--summary`/`--decision` report output,
28
+ source/release provenance parity checks, starter policy bundles, and a
29
+ post-release channel parity verifier workflow.
15
30
  - Added a pinned GitHub Dependency Review pull-request gate for vulnerable
16
31
  dependency.
32
+ - Strengthened `scan --fix` to target policy-failing packages, validate the
33
+ generated graph in a clean virtual environment, run
34
+ `[tool.trustcheck.fix].test_commands`, support `requirements.lock`, and write
35
+ a review patch artifact; advanced the remediation schema to `1.3.0`.
17
36
 
18
37
  ### Changed
19
38
 
@@ -24,6 +43,15 @@ The project follows Semantic Versioning for the supported public API described i
24
43
  Sigstore requirements `PyJWT`, `idna`, and `tuf`; the action lockfile still
25
44
  constrains the resolved transitive set.
26
45
 
46
+ ## [2.1.2] - 2026-07-01
47
+
48
+ Package release `2.1.2` emits machine-readable report schema `1.11.0`.
49
+
50
+ ### Changed
51
+
52
+ - Corrected the changelog description for the pinned GitHub Dependency Review
53
+ pull-request gate.
54
+
27
55
  ## [2.1.1] - 2026-06-28
28
56
 
29
57
  Package release `2.1.1` emits machine-readable report schema `1.11.0`.
@@ -244,7 +272,9 @@ Package release `1.9.0` emits machine-readable report schema `1.4.0`.
244
272
  - Aligned the README, documentation site, CLI help, changelog, and JSON contract documentation around the same supported feature set.
245
273
  - Replaced temporary Discord issue and security links with stable GitHub project pages and private vulnerability reporting.
246
274
 
247
- [Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...HEAD
275
+ [Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.2.0...HEAD
276
+ [2.2.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.2...v2.2.0
277
+ [2.1.2]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...v2.1.2
248
278
  [2.1.1]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.0...v2.1.1
249
279
  [2.1.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.0.5...v2.1.0
250
280
  [1.9.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v1.8.0...v1.9.0
@@ -0,0 +1,2 @@
1
+ include scripts/verify_release_version.py
2
+ include scripts/verify_release_channels.py