trustcheck 2.1.2__tar.gz → 2.2.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- trustcheck-2.2.0/.github/workflows/acceptance-matrix.yml +56 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/benchmarks.yml +6 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/ci.yml +3 -3
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/codeql.yml +3 -3
- trustcheck-2.2.0/.github/workflows/plagiarism-scan.yml +128 -0
- trustcheck-2.2.0/.github/workflows/post-release-parity.yml +90 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/publish.yml +4 -4
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/sarif-integration.yml +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/CHANGELOG.md +32 -2
- trustcheck-2.2.0/MANIFEST.in +2 -0
- {trustcheck-2.1.2/src/trustcheck.egg-info → trustcheck-2.2.0}/PKG-INFO +160 -21
- {trustcheck-2.1.2 → trustcheck-2.2.0}/README.md +159 -20
- {trustcheck-2.1.2 → trustcheck-2.2.0}/action.yml +10 -2
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/README.md +16 -7
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/corpus.json +9 -0
- trustcheck-2.2.0/benchmarks/corpus/malicious-calibration.json +102 -0
- trustcheck-2.2.0/benchmarks/corpus/pdm.lock +22 -0
- trustcheck-2.2.0/benchmarks/results/benchmark-public-key.pem +11 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/results/latest.json +339 -866
- trustcheck-2.2.0/benchmarks/results/latest.json.sig +1 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/changelog.md +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/index.md +67 -3
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/getting-started/quickstart.md +31 -2
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/guides/ci-integration.md +85 -13
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/index.md +32 -3
- trustcheck-2.2.0/docs/reference/benchmarks.md +92 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/industry-formats.md +20 -9
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/json-contract.md +11 -9
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/malicious-package-detection.md +28 -3
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/python-api.md +3 -2
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/remediation.md +36 -13
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_exports.py +9 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/action.lock +1 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/ci.in +3 -3
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/ci.lock +22 -23
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/semgrep.in +1 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/semgrep.lock +118 -69
- trustcheck-2.2.0/scripts/acceptance_matrix.py +212 -0
- trustcheck-2.2.0/scripts/github_plagiarism_scan.py +307 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/update_benchmark_table.py +22 -14
- trustcheck-2.2.0/scripts/verify_release_channels.py +361 -0
- trustcheck-2.2.0/src/trustcheck/__init__.py +278 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/_version.py +2 -2
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/attestations.py +106 -41
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli.py +866 -7
- trustcheck-2.2.0/src/trustcheck/cli_commands/diff.py +408 -0
- trustcheck-2.2.0/src/trustcheck/cli_commands/doctor.py +31 -0
- trustcheck-2.2.0/src/trustcheck/cli_commands/impact.py +168 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/inspect.py +8 -3
- trustcheck-2.2.0/src/trustcheck/cli_commands/install.py +931 -0
- trustcheck-2.2.0/src/trustcheck/cli_commands/manifest.py +260 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/scan.py +9 -3
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_render.py +107 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/contract.py +14 -2
- trustcheck-2.2.0/src/trustcheck/diff.py +917 -0
- trustcheck-2.2.0/src/trustcheck/doctor.py +432 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/export_models.py +9 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/export_xml.py +33 -10
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/exports.py +392 -54
- trustcheck-2.2.0/src/trustcheck/impact.py +882 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/malicious.py +33 -33
- trustcheck-2.2.0/src/trustcheck/manifest.py +1028 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/policy.py +35 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/provenance.py +182 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/remediation.py +197 -23
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/remediation_models.py +47 -1
- trustcheck-2.2.0/src/trustcheck/remediation_render.py +91 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/snapshots.py +35 -7
- {trustcheck-2.1.2 → trustcheck-2.2.0/src/trustcheck.egg-info}/PKG-INFO +160 -21
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/SOURCES.txt +24 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/contract_schema.json +2 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_attestations.py +42 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_benchmark_results.py +40 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_ci_workflow.py +82 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_cli.py +276 -1
- trustcheck-2.2.0/tests/test_diff.py +816 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_docker_workflows.py +7 -7
- trustcheck-2.2.0/tests/test_doctor.py +371 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_edge_cases.py +8 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_exports.py +103 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_github_action.py +16 -0
- trustcheck-2.2.0/tests/test_impact.py +633 -0
- trustcheck-2.2.0/tests/test_install_command.py +880 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_lockfiles.py +13 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_malicious.py +3 -3
- trustcheck-2.2.0/tests/test_manifest.py +818 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_performance_extensibility.py +52 -2
- trustcheck-2.2.0/tests/test_plagiarism_scan.py +257 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_provenance.py +95 -1
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_public_api.py +23 -2
- trustcheck-2.2.0/tests/test_release_channels.py +160 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_readiness.py +39 -2
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_remediation.py +436 -0
- trustcheck-2.1.2/MANIFEST.in +0 -1
- trustcheck-2.1.2/benchmarks/results/benchmark-public-key.pem +0 -11
- trustcheck-2.1.2/benchmarks/results/latest.json.sig +0 -1
- trustcheck-2.1.2/docs/reference/benchmarks.md +0 -60
- trustcheck-2.1.2/src/trustcheck/__init__.py +0 -193
- trustcheck-2.1.2/src/trustcheck/remediation_render.py +0 -50
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.dockerignore +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.gitattributes +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/CODEOWNERS +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/ISSUE_TEMPLATE/general.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/dependabot.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/trustcheck-action-fail-policy.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/action-integration.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/bandit.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/binary-security.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/docs.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/fuzz.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/live-integration.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/mutation.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/semgrep.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.github/workflows/source-build.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.gitignore +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/.pre-commit-hooks.yaml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/CONTRIBUTING.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/Dockerfile +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/LICENSE +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/SECURITY.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/benchmark_against_pip_audit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/poetry.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/pylock.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-hashed.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-main.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-malformed.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-markers-extras.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-private-index.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-profiles.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-resolution.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements-vcs-editable.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/requirements.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth-public-key.pem +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/truth.json.sig +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/corpus/uv.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/benchmarks/measure_command.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/images/logo-bg-less.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/images/logo.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/assets/javascripts/disable-search-shortcut.js +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/configuration.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/exit-codes.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/cli/policies.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/getting-started/installation.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/compatibility.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/performance-extensibility.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/recommendations.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/docs/reference/trust-model.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/README.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_lockfiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_provenance.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/fuzz/fuzz_requirements.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/mkdocs.yml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/pyproject.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/fuzz.in +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/fuzz.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/runtime.in +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/requirements/runtime.lock +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/benchmark_signature.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/build_msix_layout.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/build_standalone.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/check_mutation_score.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/dependency_bounds.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/smoke_test_distribution.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/trustcheck_binary.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/update_coverage_badge.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/validate_sarif.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/scripts/verify_release_version.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/setup.cfg +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/README.md +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/gui/icon.png +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/snap/snapcraft.yaml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/__main__.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/_resolver_guard.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/advisories.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cache.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/__init__.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/context.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_commands/environment.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_models.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_runtime.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/cli_targets.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/dynamic.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/github_action.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/lockfiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/models.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/plugins.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/pre_commit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/py.typed +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/pypi.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/resolver.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/resume.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/schemas.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service_state.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/service_urls.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck/workspace.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/dependency_links.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/entry_points.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/requires.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/src/trustcheck.egg-info/top_level.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/bad-scan.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/cache/5e491d79f8ba9e36d864ae50c690989677616cd509e5b99abb9272c8ad976435.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/config_non_object.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/empty-scan.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/empty-scan.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/invalid-scan.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/policy_non_object.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/scan-poetry.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/_tmp/scan-project.toml +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/client_config.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/policy_require_expected_repo.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/fixtures/requirements-vulnerable.txt +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/report_minimal.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/snapshots/report_verified.json +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_advisories.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_artifacts.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_binary_security_workflow.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_contract.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_dependency_bounds.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_dynamic.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_indexes.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_integration_live.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_msix_packaging.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_mutation_score.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_plugin_security.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_pre_commit.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_property_invariants.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_pypi.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_executable.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_release_version.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_resolver.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_resolver_guard.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_sarif_validation.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_scan_profiles.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_service.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_snap_packaging.py +0 -0
- {trustcheck-2.1.2 → trustcheck-2.2.0}/tests/test_workspace.py +0 -0
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
name: Acceptance Matrix
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "47 4 * * *"
|
|
7
|
+
|
|
8
|
+
permissions:
|
|
9
|
+
contents: read
|
|
10
|
+
|
|
11
|
+
concurrency:
|
|
12
|
+
group: acceptance-matrix-main
|
|
13
|
+
cancel-in-progress: false
|
|
14
|
+
|
|
15
|
+
jobs:
|
|
16
|
+
acceptance:
|
|
17
|
+
name: ${{ matrix.case }} / ${{ matrix.os }} / Python ${{ matrix.python-version }}
|
|
18
|
+
runs-on: ${{ matrix.os }}
|
|
19
|
+
timeout-minutes: 45
|
|
20
|
+
strategy:
|
|
21
|
+
fail-fast: false
|
|
22
|
+
matrix:
|
|
23
|
+
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
24
|
+
python-version: ["3.11", "3.12", "3.13", "3.14"]
|
|
25
|
+
case: [pip-tools, uv-lock, poetry-lock, pdm-lock, pep751-pylock, extras-markers, private-index-fixture, native-wheel, sdist]
|
|
26
|
+
|
|
27
|
+
steps:
|
|
28
|
+
- name: Check out repository
|
|
29
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
30
|
+
with:
|
|
31
|
+
persist-credentials: false
|
|
32
|
+
|
|
33
|
+
- name: Set up Python
|
|
34
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
35
|
+
with:
|
|
36
|
+
python-version: ${{ matrix.python-version }}
|
|
37
|
+
cache: pip
|
|
38
|
+
|
|
39
|
+
- name: Install acceptance environment
|
|
40
|
+
run: |
|
|
41
|
+
python -m pip install --disable-pip-version-check --require-hashes --requirement requirements/runtime.lock
|
|
42
|
+
python -m pip install --disable-pip-version-check --no-build-isolation --no-deps -e .
|
|
43
|
+
python -m pip check
|
|
44
|
+
|
|
45
|
+
- name: Run acceptance case
|
|
46
|
+
env:
|
|
47
|
+
TRUSTCHECK_RUN_ACCEPTANCE: "1"
|
|
48
|
+
run: python scripts/acceptance_matrix.py --case "${{ matrix.case }}" --report-dir acceptance-reports
|
|
49
|
+
|
|
50
|
+
- name: Upload acceptance report
|
|
51
|
+
if: always()
|
|
52
|
+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
|
|
53
|
+
with:
|
|
54
|
+
name: acceptance-${{ matrix.case }}-${{ matrix.os }}-py${{ matrix.python-version }}
|
|
55
|
+
path: acceptance-reports/
|
|
56
|
+
if-no-files-found: warn
|
|
@@ -2,6 +2,11 @@ name: Benchmarks
|
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "23 4 * * 1"
|
|
7
|
+
workflow_run:
|
|
8
|
+
workflows: ["Release"]
|
|
9
|
+
types: [completed]
|
|
5
10
|
|
|
6
11
|
permissions:
|
|
7
12
|
contents: read
|
|
@@ -12,6 +17,7 @@ concurrency:
|
|
|
12
17
|
|
|
13
18
|
jobs:
|
|
14
19
|
pip-audit-comparison:
|
|
20
|
+
if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
|
|
15
21
|
runs-on: ubuntu-latest
|
|
16
22
|
timeout-minutes: 45
|
|
17
23
|
steps:
|
|
@@ -248,11 +248,11 @@ jobs:
|
|
|
248
248
|
|
|
249
249
|
- name: Set up Docker Buildx
|
|
250
250
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
251
|
-
uses: docker/setup-buildx-action@
|
|
251
|
+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
252
252
|
|
|
253
253
|
- name: Log in to GitHub Container Registry
|
|
254
254
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
255
|
-
uses: docker/login-action@
|
|
255
|
+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
|
256
256
|
with:
|
|
257
257
|
registry: ghcr.io
|
|
258
258
|
username: ${{ github.actor }}
|
|
@@ -279,7 +279,7 @@ jobs:
|
|
|
279
279
|
|
|
280
280
|
- name: Build and publish CI Docker image
|
|
281
281
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
282
|
-
uses: docker/build-push-action@
|
|
282
|
+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
283
283
|
with:
|
|
284
284
|
context: .
|
|
285
285
|
file: ./Dockerfile
|
|
@@ -25,7 +25,7 @@ jobs:
|
|
|
25
25
|
fetch-depth: 0
|
|
26
26
|
|
|
27
27
|
- name: Initialize CodeQL
|
|
28
|
-
uses: github/codeql-action/init@
|
|
28
|
+
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
29
29
|
with:
|
|
30
30
|
languages: python
|
|
31
31
|
|
|
@@ -35,7 +35,7 @@ jobs:
|
|
|
35
35
|
python-version: "3.12"
|
|
36
36
|
|
|
37
37
|
- name: Autobuild
|
|
38
|
-
uses: github/codeql-action/autobuild@
|
|
38
|
+
uses: github/codeql-action/autobuild@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
39
39
|
|
|
40
40
|
- name: Perform CodeQL analysis
|
|
41
|
-
uses: github/codeql-action/analyze@
|
|
41
|
+
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
@@ -0,0 +1,128 @@
|
|
|
1
|
+
name: GitHub Code Copy Scan
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: "37 3 * * *"
|
|
7
|
+
|
|
8
|
+
permissions:
|
|
9
|
+
contents: write
|
|
10
|
+
issues: write
|
|
11
|
+
pull-requests: write
|
|
12
|
+
|
|
13
|
+
concurrency:
|
|
14
|
+
group: github-code-copy-scan
|
|
15
|
+
cancel-in-progress: false
|
|
16
|
+
|
|
17
|
+
jobs:
|
|
18
|
+
scan:
|
|
19
|
+
name: Search GitHub for copied code
|
|
20
|
+
runs-on: ubuntu-latest
|
|
21
|
+
|
|
22
|
+
steps:
|
|
23
|
+
- name: Check out repository
|
|
24
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
25
|
+
with:
|
|
26
|
+
fetch-depth: 0
|
|
27
|
+
persist-credentials: false
|
|
28
|
+
|
|
29
|
+
- name: Set up Python
|
|
30
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
31
|
+
with:
|
|
32
|
+
python-version: "3.12"
|
|
33
|
+
|
|
34
|
+
- name: Search public GitHub code
|
|
35
|
+
env:
|
|
36
|
+
GITHUB_TOKEN: ${{ secrets.TRUSTCHECK_GITHUB_SEARCH_TOKEN || github.token }}
|
|
37
|
+
GITHUB_REPOSITORY: ${{ github.repository }}
|
|
38
|
+
run: |
|
|
39
|
+
python scripts/github_plagiarism_scan.py \
|
|
40
|
+
--source src/trustcheck \
|
|
41
|
+
--output reports/github-code-copy-findings.md \
|
|
42
|
+
--max-fingerprints 20 \
|
|
43
|
+
--per-page 10
|
|
44
|
+
|
|
45
|
+
- name: Open or update findings pull request or issue
|
|
46
|
+
env:
|
|
47
|
+
BRANCH: automation/github-code-copy-findings
|
|
48
|
+
GH_TOKEN: ${{ secrets.TRUSTCHECK_PR_TOKEN || github.token }}
|
|
49
|
+
ISSUE_TITLE: GitHub code copy scan findings
|
|
50
|
+
REPORT_PATH: reports/github-code-copy-findings.md
|
|
51
|
+
run: |
|
|
52
|
+
if [ -z "$(git status --porcelain -- "$REPORT_PATH")" ]; then
|
|
53
|
+
echo "No code-copy finding changes to publish."
|
|
54
|
+
exit 0
|
|
55
|
+
fi
|
|
56
|
+
|
|
57
|
+
git config user.name "github-actions[bot]"
|
|
58
|
+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
59
|
+
git checkout -B "$BRANCH"
|
|
60
|
+
git add "$REPORT_PATH"
|
|
61
|
+
git commit -m "Update GitHub code copy scan findings"
|
|
62
|
+
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
|
|
63
|
+
git push --force-with-lease origin "$BRANCH"
|
|
64
|
+
|
|
65
|
+
existing_pr="$(gh pr list --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
|
|
66
|
+
if [ -n "$existing_pr" ]; then
|
|
67
|
+
gh pr edit "$existing_pr" \
|
|
68
|
+
--title "Update GitHub code copy scan findings" \
|
|
69
|
+
--body-file "$REPORT_PATH"
|
|
70
|
+
else
|
|
71
|
+
pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/new/${BRANCH}"
|
|
72
|
+
create_error="$(mktemp)"
|
|
73
|
+
if gh pr create \
|
|
74
|
+
--base main \
|
|
75
|
+
--head "$BRANCH" \
|
|
76
|
+
--title "Update GitHub code copy scan findings" \
|
|
77
|
+
--body-file "$REPORT_PATH" \
|
|
78
|
+
2>"$create_error"; then
|
|
79
|
+
exit 0
|
|
80
|
+
fi
|
|
81
|
+
|
|
82
|
+
cat "$create_error"
|
|
83
|
+
if grep -q "not permitted to create" "$create_error"; then
|
|
84
|
+
issue_body="$(mktemp)"
|
|
85
|
+
{
|
|
86
|
+
echo "GitHub Actions pushed the code-copy findings branch, but this repository does not permit Actions to create pull requests."
|
|
87
|
+
echo
|
|
88
|
+
echo "Findings branch: https://github.com/${GITHUB_REPOSITORY}/tree/${BRANCH}"
|
|
89
|
+
echo
|
|
90
|
+
echo "Manual pull request URL: ${pr_url}"
|
|
91
|
+
echo
|
|
92
|
+
cat "$REPORT_PATH"
|
|
93
|
+
} > "$issue_body"
|
|
94
|
+
|
|
95
|
+
existing_issue="$(
|
|
96
|
+
gh issue list \
|
|
97
|
+
--state open \
|
|
98
|
+
--search "${ISSUE_TITLE} in:title" \
|
|
99
|
+
--json number,title \
|
|
100
|
+
--jq ".[] | select(.title == \"${ISSUE_TITLE}\") | .number" \
|
|
101
|
+
| head -n 1
|
|
102
|
+
)"
|
|
103
|
+
if [ -n "$existing_issue" ]; then
|
|
104
|
+
gh issue edit "$existing_issue" \
|
|
105
|
+
--title "$ISSUE_TITLE" \
|
|
106
|
+
--body-file "$issue_body"
|
|
107
|
+
issue_url="https://github.com/${GITHUB_REPOSITORY}/issues/${existing_issue}"
|
|
108
|
+
else
|
|
109
|
+
issue_url="$(
|
|
110
|
+
gh issue create \
|
|
111
|
+
--title "$ISSUE_TITLE" \
|
|
112
|
+
--body-file "$issue_body"
|
|
113
|
+
)"
|
|
114
|
+
fi
|
|
115
|
+
|
|
116
|
+
{
|
|
117
|
+
echo "### GitHub code copy scan findings"
|
|
118
|
+
echo
|
|
119
|
+
echo "The findings branch was pushed, but GitHub Actions is not permitted to create pull requests in this repository."
|
|
120
|
+
echo
|
|
121
|
+
echo "Issue: ${issue_url}"
|
|
122
|
+
echo
|
|
123
|
+
echo "Manual pull request URL: ${pr_url}"
|
|
124
|
+
} >> "$GITHUB_STEP_SUMMARY"
|
|
125
|
+
exit 0
|
|
126
|
+
fi
|
|
127
|
+
exit 1
|
|
128
|
+
fi
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
name: Post-release Channel Parity
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_run:
|
|
5
|
+
workflows: ["Release"]
|
|
6
|
+
types: [completed]
|
|
7
|
+
workflow_dispatch:
|
|
8
|
+
inputs:
|
|
9
|
+
tag:
|
|
10
|
+
description: Release tag to verify, such as v2.1.1.
|
|
11
|
+
required: true
|
|
12
|
+
observed-json:
|
|
13
|
+
description: URL or repository path for normalized channel observations.
|
|
14
|
+
required: true
|
|
15
|
+
|
|
16
|
+
permissions:
|
|
17
|
+
contents: read
|
|
18
|
+
|
|
19
|
+
jobs:
|
|
20
|
+
verify-release-channels:
|
|
21
|
+
if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
|
|
22
|
+
runs-on: ubuntu-latest
|
|
23
|
+
|
|
24
|
+
steps:
|
|
25
|
+
- name: Check out repository
|
|
26
|
+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
27
|
+
with:
|
|
28
|
+
persist-credentials: false
|
|
29
|
+
|
|
30
|
+
- name: Set up Python
|
|
31
|
+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
32
|
+
with:
|
|
33
|
+
python-version: "3.12"
|
|
34
|
+
|
|
35
|
+
- name: Resolve release parity inputs
|
|
36
|
+
id: release
|
|
37
|
+
env:
|
|
38
|
+
GH_TOKEN: ${{ github.token }}
|
|
39
|
+
INPUT_TAG: ${{ github.event.inputs.tag }}
|
|
40
|
+
INPUT_OBSERVED_JSON: ${{ github.event.inputs.observed-json }}
|
|
41
|
+
RELEASE_CHANNEL_OBSERVATIONS_URL: ${{ vars.RELEASE_CHANNEL_OBSERVATIONS_URL }}
|
|
42
|
+
run: |
|
|
43
|
+
tag="${INPUT_TAG:-}"
|
|
44
|
+
if [ -z "$tag" ]; then
|
|
45
|
+
tag="$(gh release list --limit 1 --json tagName --jq '.[0].tagName')"
|
|
46
|
+
fi
|
|
47
|
+
if [ -z "$tag" ]; then
|
|
48
|
+
echo "Unable to determine the release tag to verify." >&2
|
|
49
|
+
exit 1
|
|
50
|
+
fi
|
|
51
|
+
observed_json="${INPUT_OBSERVED_JSON:-$RELEASE_CHANNEL_OBSERVATIONS_URL}"
|
|
52
|
+
if [ -z "$observed_json" ]; then
|
|
53
|
+
echo "Set workflow input observed-json or repository variable RELEASE_CHANNEL_OBSERVATIONS_URL." >&2
|
|
54
|
+
exit 1
|
|
55
|
+
fi
|
|
56
|
+
echo "tag=$tag" >> "$GITHUB_OUTPUT"
|
|
57
|
+
echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
|
|
58
|
+
echo "observed_json=$observed_json" >> "$GITHUB_OUTPUT"
|
|
59
|
+
|
|
60
|
+
- name: Download release checksums
|
|
61
|
+
env:
|
|
62
|
+
GH_TOKEN: ${{ github.token }}
|
|
63
|
+
RELEASE_TAG: ${{ steps.release.outputs.tag }}
|
|
64
|
+
run: gh release download "$RELEASE_TAG" --pattern SHA256SUMS.txt --repo "$GITHUB_REPOSITORY"
|
|
65
|
+
|
|
66
|
+
- name: Verify channel parity
|
|
67
|
+
env:
|
|
68
|
+
RELEASE_TAG: ${{ steps.release.outputs.tag }}
|
|
69
|
+
RELEASE_VERSION: ${{ steps.release.outputs.version }}
|
|
70
|
+
OBSERVED_JSON: ${{ steps.release.outputs.observed_json }}
|
|
71
|
+
run: |
|
|
72
|
+
python scripts/verify_release_channels.py \
|
|
73
|
+
--expected-version "$RELEASE_VERSION" \
|
|
74
|
+
--tag "$RELEASE_TAG" \
|
|
75
|
+
--expected-checksums SHA256SUMS.txt \
|
|
76
|
+
--required-channel pypi \
|
|
77
|
+
--required-channel github \
|
|
78
|
+
--required-channel snap \
|
|
79
|
+
--required-channel docker \
|
|
80
|
+
--required-channel homebrew \
|
|
81
|
+
--required-channel winget \
|
|
82
|
+
--expected-architecture docker=linux/amd64 \
|
|
83
|
+
--expected-architecture docker=linux/arm64 \
|
|
84
|
+
--expected-architecture docker=linux/arm/v7 \
|
|
85
|
+
--expected-architecture snap=amd64 \
|
|
86
|
+
--expected-architecture snap=arm64 \
|
|
87
|
+
--expected-architecture snap=armhf \
|
|
88
|
+
--expected-architecture github=windows-x86_64 \
|
|
89
|
+
--release-notes-fragment "Published from immutable commit" \
|
|
90
|
+
--observed-json "$OBSERVED_JSON"
|
|
@@ -852,13 +852,13 @@ jobs:
|
|
|
852
852
|
persist-credentials: false
|
|
853
853
|
|
|
854
854
|
- name: Set up QEMU for multi-platform builds
|
|
855
|
-
uses: docker/setup-qemu-action@
|
|
855
|
+
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
|
|
856
856
|
|
|
857
857
|
- name: Set up Docker Buildx
|
|
858
|
-
uses: docker/setup-buildx-action@
|
|
858
|
+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
859
859
|
|
|
860
860
|
- name: Log in to GitHub Container Registry
|
|
861
|
-
uses: docker/login-action@
|
|
861
|
+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
|
862
862
|
with:
|
|
863
863
|
registry: ghcr.io
|
|
864
864
|
username: ${{ github.actor }}
|
|
@@ -891,7 +891,7 @@ jobs:
|
|
|
891
891
|
} >> "$GITHUB_OUTPUT"
|
|
892
892
|
|
|
893
893
|
- name: Build and publish multi-platform Docker images
|
|
894
|
-
uses: docker/build-push-action@
|
|
894
|
+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
895
895
|
with:
|
|
896
896
|
context: .
|
|
897
897
|
file: ./Dockerfile
|
|
@@ -58,7 +58,7 @@ jobs:
|
|
|
58
58
|
--compare trustcheck-second.sarif
|
|
59
59
|
|
|
60
60
|
- name: Upload SARIF to GitHub code scanning
|
|
61
|
-
uses: github/codeql-action/upload-sarif@
|
|
61
|
+
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
|
|
62
62
|
with:
|
|
63
63
|
sarif_file: trustcheck-first.sarif
|
|
64
64
|
category: trustcheck-sarif-integration
|
|
@@ -6,14 +6,33 @@ The project follows Semantic Versioning for the supported public API described i
|
|
|
6
6
|
|
|
7
7
|
## Unreleased
|
|
8
8
|
|
|
9
|
+
## [2.2.0] - 2026-07-05
|
|
10
|
+
|
|
11
|
+
Package release `2.2.0` emits machine-readable report schema `1.11.0`.
|
|
12
|
+
|
|
9
13
|
### Added
|
|
10
14
|
|
|
11
|
-
- Added
|
|
15
|
+
- Added malicious-package heuristic rule metadata, policy-configurable
|
|
12
16
|
aggregate and per-rule thresholds, and advanced the schema to `1.11.0`.
|
|
13
17
|
- Added opt-in `--dynamic-analysis` execution in a disposable, no-network,
|
|
14
18
|
non-root Docker sandbox with CPU, memory, process, and wall-clock limits.
|
|
19
|
+
- Added `trustcheck manifest init|verify|update` for dependency trust
|
|
20
|
+
baselines that block repository, Trusted Publisher, SLSA, provenance,
|
|
21
|
+
index-origin, native-binary, dynamic-execution, and malicious-score
|
|
22
|
+
regressions.
|
|
23
|
+
- Added `trustcheck diff` for lockfile and pull-request trust review across
|
|
24
|
+
changed direct and transitive packages, with text, JSON, Markdown, SARIF,
|
|
25
|
+
Git ref discovery, GitHub PR commenting, and optional trust-manifest
|
|
26
|
+
enforcement.
|
|
27
|
+
- Added `trustcheck doctor`, concise `--summary`/`--decision` report output,
|
|
28
|
+
source/release provenance parity checks, starter policy bundles, and a
|
|
29
|
+
post-release channel parity verifier workflow.
|
|
15
30
|
- Added a pinned GitHub Dependency Review pull-request gate for vulnerable
|
|
16
31
|
dependency.
|
|
32
|
+
- Strengthened `scan --fix` to target policy-failing packages, validate the
|
|
33
|
+
generated graph in a clean virtual environment, run
|
|
34
|
+
`[tool.trustcheck.fix].test_commands`, support `requirements.lock`, and write
|
|
35
|
+
a review patch artifact; advanced the remediation schema to `1.3.0`.
|
|
17
36
|
|
|
18
37
|
### Changed
|
|
19
38
|
|
|
@@ -24,6 +43,15 @@ The project follows Semantic Versioning for the supported public API described i
|
|
|
24
43
|
Sigstore requirements `PyJWT`, `idna`, and `tuf`; the action lockfile still
|
|
25
44
|
constrains the resolved transitive set.
|
|
26
45
|
|
|
46
|
+
## [2.1.2] - 2026-07-01
|
|
47
|
+
|
|
48
|
+
Package release `2.1.2` emits machine-readable report schema `1.11.0`.
|
|
49
|
+
|
|
50
|
+
### Changed
|
|
51
|
+
|
|
52
|
+
- Corrected the changelog description for the pinned GitHub Dependency Review
|
|
53
|
+
pull-request gate.
|
|
54
|
+
|
|
27
55
|
## [2.1.1] - 2026-06-28
|
|
28
56
|
|
|
29
57
|
Package release `2.1.1` emits machine-readable report schema `1.11.0`.
|
|
@@ -244,7 +272,9 @@ Package release `1.9.0` emits machine-readable report schema `1.4.0`.
|
|
|
244
272
|
- Aligned the README, documentation site, CLI help, changelog, and JSON contract documentation around the same supported feature set.
|
|
245
273
|
- Replaced temporary Discord issue and security links with stable GitHub project pages and private vulnerability reporting.
|
|
246
274
|
|
|
247
|
-
[Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.
|
|
275
|
+
[Unreleased]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.2.0...HEAD
|
|
276
|
+
[2.2.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.2...v2.2.0
|
|
277
|
+
[2.1.2]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.1...v2.1.2
|
|
248
278
|
[2.1.1]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.1.0...v2.1.1
|
|
249
279
|
[2.1.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v2.0.5...v2.1.0
|
|
250
280
|
[1.9.0]: https://github.com/Halfblood-Prince/trustcheck/compare/v1.8.0...v1.9.0
|