HN Showcase
Back to browse
GitHub Repository

Verify PyPI package attestations and improve Python supply-chain security

90 starsPython

Beta Testing needed for my package Trustcheck

by halfblood1010·Apr 11, 2026·1 point·1 comment
Visit ProjectView on HN

AI Analysis

●●SolidSolve My ProblemNiche GemShip It

Consolidates sigstore attestation verification and vulnerability scans into one pre-install CLI check.

Strengths
  • Verifies cryptographic attestations and Trusted Publisher identity hints alongside standard vulnerability records.
  • Strict mode fails CI when verification signals are missing or drift detected.
  • Exposes structured JSON output for integration with existing security pipelines and dashboards.
Weaknesses
  • Relies on maintainers publishing attestations; most packages lack these cryptographic signals today.
  • No Windows binary provided, requires Python 3.10+ environment setup before running checks.
Category
Security
Target Audience

Python developers, DevSecOps engineers

Similar To

pip-audit · sigstore · OSV-Scanner

Similar Projects

SecurityMid

Package Proxy

Yet another package proxy when Sonatype, Verdaccio, and Cloudsmith already own this space.

Ship It
mslaviero
207d ago