| Name | rtx-trust JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | Real Tracker X: cross-ecosystem dependency trust scanner |
| upload_time | 2025-09-19 04:08:17 |
| maintainer | None |
| docs_url | None |
| author | Andreas Fahl |
| requires_python | >=3.11 |
| license | MIT License
Copyright (c) 2025 Andreas Fahl
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. |
| keywords |
dependencies
osv
sbom
security
supply-chain
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# rtx — Real Tracker X
**Author:** Andreas Fahl
**Tagline:** Cross-ecosystem dependency trust scanner for secure upgrades.
## Problem
Modern software supply chains depend on sprawling, fast-moving dependency graphs. Teams struggle to evaluate risk before upgrading, face alert fatigue from siloed advisories, and lack unified visibility across ecosystems. Compromised maintainers, typosquats, and abandoned packages frequently slip past point-in-time audits.
## Solution
rtx pre-computes the blast radius of any change. It ingests manifests from Python, JavaScript, Java, Rust, Go, PHP, .NET, Ruby, Conda, and Homebrew projects, builds a full dependency tree, enriches it with OSV and GitHub advisories, and evaluates trust using transparent heuristics (abandonment, churn, maintainer health, typosquats). Reports yield deterministic exit codes for CI and can be exported as Rich tables, JSON, or HTML bundles.
## Demo (10s Asciinema)
[](docs/demo.md)
## Installation
```bash
pip install rtx-trust
```
## Quickstart
```bash
rtx scan --format table
rtx scan --path examples/mixed
rtx pre-upgrade --manager npm --package react --version 18.0.0
rtx report --format json --output reports/rtx.json
```
## CLI Overview
- `rtx scan`: Detect manifests in the current directory, build the dependency graph, and score trust.
- `rtx pre-upgrade`: Simulate dependency upgrades and compare trust deltas before applying.
- `rtx report`: Render persisted reports in JSON, table, or HTML formats for CI workflows.
- `rtx list-managers`: List supported package managers, manifest file patterns, and detection confidence.
## Library API
```python
from pathlib import Path
from rtx.api import scan_project
report = scan_project(Path("./my-service"), managers=["npm", "pypi"])
print(report.summary())
```
## Examples
- `examples/npm`: Node.js service with npm lockfiles.
- `examples/pypi`: Python project using `pyproject.toml` and `uv.lock`.
- `examples/mixed`: Polyglot workspace combining npm, Poetry, Maven, Cargo, and Docker.
## Architecture
- Modular scanners per ecosystem share a common threat-evaluation core.
- Advisory providers (OSV, GitHub, ecosystem feeds) run asynchronously with caching.
- Trust policy engine computes risk scores and exit codes.
- SBOM generator emits CycloneDX v1.5 for every scan and pre-upgrade run.
## Security Notes
- No install scripts are executed; all metadata resolution is offline-first with bounded timeouts.
- All dependencies are vendored with hashes; CI blocks on unpinned packages.
- Releases publish signed wheels, SBOMs, and SLSA provenance via GitHub OIDC + cosign.
## Roadmap
1. Artifact attestation for container images.
2. Native integrations for Maven Enforcer and Gradle.
3. Streaming trust dashboards with anomaly alerts.
4. Workspace diff views for GitHub, GitLab, and Bitbucket Apps.
## FAQ
**Why another dependency scanner?** rtx focuses on pre-upgrade guardrails, not post-incident triage.
**Does it phone home?** No. Network requests are limited to advisories and metadata endpoints; they respect enterprise proxies.
**Can I extend support?** Yes. Create a plugin under `src/rtx/scanners` and register it in `rtx.registry`.
**How do exit codes map to severity?** 0 = safe, 1 = medium trust gaps, 2 = high/critical risk.
## Community & Support
- Read the [Code of Conduct](CODE_OF_CONDUCT.md).
- See [CONTRIBUTING.md](CONTRIBUTING.md) for onboarding.
- File security issues via [SECURITY.md](SECURITY.md) or /.well-known/security.txt.
- Discussions and roadmaps live under GitHub Discussions.
## Author Attribution
Copyright © 2025 Andreas Fahl.
Raw data
{
"_id": null,
"home_page": null,
"name": "rtx-trust",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": "dependencies, osv, sbom, security, supply-chain",
"author": "Andreas Fahl",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/f9/58/a0fa46108359e8dfcb5d63ff3285f4d0e3f434f2e4f6361949d72e93a9cb/rtx_trust-0.1.0.tar.gz",
"platform": null,
"description": "# rtx \u2014 Real Tracker X\n\n\n\n\n\n\n\n\n**Author:** Andreas Fahl \n**Tagline:** Cross-ecosystem dependency trust scanner for secure upgrades.\n\n## Problem\nModern software supply chains depend on sprawling, fast-moving dependency graphs. Teams struggle to evaluate risk before upgrading, face alert fatigue from siloed advisories, and lack unified visibility across ecosystems. Compromised maintainers, typosquats, and abandoned packages frequently slip past point-in-time audits.\n\n## Solution\nrtx pre-computes the blast radius of any change. It ingests manifests from Python, JavaScript, Java, Rust, Go, PHP, .NET, Ruby, Conda, and Homebrew projects, builds a full dependency tree, enriches it with OSV and GitHub advisories, and evaluates trust using transparent heuristics (abandonment, churn, maintainer health, typosquats). Reports yield deterministic exit codes for CI and can be exported as Rich tables, JSON, or HTML bundles.\n\n## Demo (10s Asciinema)\n[](docs/demo.md)\n\n## Installation\n```bash\npip install rtx-trust\n```\n\n## Quickstart\n```bash\nrtx scan --format table\nrtx scan --path examples/mixed\nrtx pre-upgrade --manager npm --package react --version 18.0.0\nrtx report --format json --output reports/rtx.json\n```\n\n## CLI Overview\n- `rtx scan`: Detect manifests in the current directory, build the dependency graph, and score trust.\n- `rtx pre-upgrade`: Simulate dependency upgrades and compare trust deltas before applying.\n- `rtx report`: Render persisted reports in JSON, table, or HTML formats for CI workflows.\n- `rtx list-managers`: List supported package managers, manifest file patterns, and detection confidence.\n\n## Library API\n```python\nfrom pathlib import Path\nfrom rtx.api import scan_project\nreport = scan_project(Path(\"./my-service\"), managers=[\"npm\", \"pypi\"])\nprint(report.summary())\n```\n\n## Examples\n- `examples/npm`: Node.js service with npm lockfiles.\n- `examples/pypi`: Python project using `pyproject.toml` and `uv.lock`.\n- `examples/mixed`: Polyglot workspace combining npm, Poetry, Maven, Cargo, and Docker.\n\n## Architecture\n- Modular scanners per ecosystem share a common threat-evaluation core.\n- Advisory providers (OSV, GitHub, ecosystem feeds) run asynchronously with caching.\n- Trust policy engine computes risk scores and exit codes.\n- SBOM generator emits CycloneDX v1.5 for every scan and pre-upgrade run.\n\n## Security Notes\n- No install scripts are executed; all metadata resolution is offline-first with bounded timeouts.\n- All dependencies are vendored with hashes; CI blocks on unpinned packages.\n- Releases publish signed wheels, SBOMs, and SLSA provenance via GitHub OIDC + cosign.\n\n## Roadmap\n1. Artifact attestation for container images.\n2. Native integrations for Maven Enforcer and Gradle.\n3. Streaming trust dashboards with anomaly alerts.\n4. Workspace diff views for GitHub, GitLab, and Bitbucket Apps.\n\n## FAQ\n**Why another dependency scanner?** rtx focuses on pre-upgrade guardrails, not post-incident triage. \n**Does it phone home?** No. Network requests are limited to advisories and metadata endpoints; they respect enterprise proxies. \n**Can I extend support?** Yes. Create a plugin under `src/rtx/scanners` and register it in `rtx.registry`. \n**How do exit codes map to severity?** 0 = safe, 1 = medium trust gaps, 2 = high/critical risk.\n\n## Community & Support\n- Read the [Code of Conduct](CODE_OF_CONDUCT.md).\n- See [CONTRIBUTING.md](CONTRIBUTING.md) for onboarding.\n- File security issues via [SECURITY.md](SECURITY.md) or /.well-known/security.txt.\n- Discussions and roadmaps live under GitHub Discussions.\n\n## Author Attribution\nCopyright \u00a9 2025 Andreas Fahl.\n",
"bugtrack_url": null,
"license": "MIT License\n \n Copyright (c) 2025 Andreas Fahl\n \n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation files (the \"Software\"), to deal\n in the Software without restriction, including without limitation the rights\n to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n copies of the Software, and to permit persons to whom the Software is\n furnished to do so, subject to the following conditions:\n \n The above copyright notice and this permission notice shall be included in all\n copies or substantial portions of the Software.\n \n THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n SOFTWARE.",
"summary": "Real Tracker X: cross-ecosystem dependency trust scanner",
"version": "0.1.0",
"project_urls": {
"Changelog": "https://github.com/afadesigns/rtx/blob/main/CHANGELOG.md",
"Documentation": "https://afadesigns.github.io/rtx",
"Homepage": "https://github.com/afadesigns/rtx",
"Issues": "https://github.com/afadesigns/rtx/issues",
"Repository": "https://github.com/afadesigns/rtx"
},
"split_keywords": [
"dependencies",
" osv",
" sbom",
" security",
" supply-chain"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "895d876e698eb6f4f7f613e35becf867df9abcf87fb68b2ab8b331baada2fb2f",
"md5": "726f9621b55ead5574c46a74d6783813",
"sha256": "c12fd867414a7cc02dcd8d60ead991d0ab6d427953e8565e0426189c33343846"
},
"downloads": -1,
"filename": "rtx_trust-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "726f9621b55ead5574c46a74d6783813",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 37238,
"upload_time": "2025-09-19T04:08:15",
"upload_time_iso_8601": "2025-09-19T04:08:15.690722Z",
"url": "https://files.pythonhosted.org/packages/89/5d/876e698eb6f4f7f613e35becf867df9abcf87fb68b2ab8b331baada2fb2f/rtx_trust-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "f958a0fa46108359e8dfcb5d63ff3285f4d0e3f434f2e4f6361949d72e93a9cb",
"md5": "80921e7b2f5b6d4f5ad027157ce056c7",
"sha256": "0fcfdfdb949a0974c139f7a8d42f9df2689ee46cd35ff642887ea61226118c19"
},
"downloads": -1,
"filename": "rtx_trust-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "80921e7b2f5b6d4f5ad027157ce056c7",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 217913,
"upload_time": "2025-09-19T04:08:17",
"upload_time_iso_8601": "2025-09-19T04:08:17.621370Z",
"url": "https://files.pythonhosted.org/packages/f9/58/a0fa46108359e8dfcb5d63ff3285f4d0e3f434f2e4f6361949d72e93a9cb/rtx_trust-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-19 04:08:17",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "afadesigns",
"github_project": "rtx",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "rtx-trust"
}
