TrustOSS repository audit
TrustOSS analyzes public GitHub repositories and returns structured health reports. No authentication is required. Rate limit: ~30 requests/minute per IP — sequence your calls, don't parallel-blast.
Quick start
If the trustoss CLI is installed (npm install -g trustoss-cli):
trustoss analyze <owner/repo> # 5-dimension health score
trustoss deep-scan <owner/repo> # ok/warn/risk findings
trustoss star-audit <owner/repo> # star curve + stargazer audience
Add --json to any command for machine-readable output.
Without the CLI, call the HTTP API directly:
curl "https://trustoss.org/api/analyze?repo=<owner>/<name>"
curl "https://trustoss.org/api/inspect?repo=<owner>/<name>"
curl "https://trustoss.org/api/stars?repo=<owner>/<name>"
Choosing the right endpoint
- analyze — first stop. Overall 0-100 score with letter grade, broken into activity, maintenance, community, documentation, and maturity dimensions, each with per-signal details.
- inspect (deep scan) — structural truth. Groups of findings, each with
severity(ok|warn|risk), covering: code substance (tests, CI config, docs-only detection), engineering health (CI pass rate, PR merge rate), known vulnerabilities (OSV, latest release), real adoption (dependent packages via deps.dev), bus factor (commit concentration), and star growth authenticity (spike detection). - stars (star audit) — is the popularity real? Returns
samples(cumulative star counts over time for a growth curve), plus profiles of the ~30 most recent stargazers classified asveteran/active/casual/newcomer/ghost(empty profile = bought-star signal), and astats.verdictline withverdictSeverity(ok|warn|risk).
Interpreting results
- Overall score ≥80 (A) strong, 60-79 (B) solid, 40-59 (C) needs scrutiny, <40 investigate before adopting.
- Any deep-scan
riskfinding deserves a sentence in your report;warnfindings matter in aggregate. - Star audit:
ghostPct≥40% ornewAccountPct≥50% among recent stargazers means the star count should not be trusted as a popularity signal. A vertical cliff in the growth curve without a matching release is a campaign fingerprint. - Cross-check: high stars +
riskon "real adoption" (few dependents) + ghost-heavy audience = classic inflated repo.
Reporting to the user
Lead with the verdict (adopt / adopt with caveats / avoid), then the
overall score, then only the findings that drove the verdict. Link the
shareable report: https://trustoss.org/repo/<owner>/<name>.