Key takeaways
- The trust stack now has five layers: contributor trust, AI code provenance, artifact/build trust, pipeline trust, and dependency trust — with GUAC emerging as the query layer that ties the evidence together
- The spring 2026 incident wave (PyTorch Lightning, the TanStack Actions worm, the Miasma npm campaign) made CI pipelines the hottest attack surface — and zizmor the fastest-adopted new tool in the category
- AI attribution became a live trust problem: VS Code's forced Copilot co-author backlash, ~41% of new code AI-assisted with no structured provenance, and EU AI Act disclosure enforcement starting August 2026 — git-ai is the first credible answer
- Socket.dev became the category's first unicorn ($60M Series C at $1B, May 2026) with Anthropic, Cursor, and Vercel as customers
FAQ
What are developer trust tools?
Tools that help verify the trustworthiness of code, contributors, and dependencies in software supply chains — from artifact signing (Sigstore) to contributor vouching (Vouch) to AI code provenance (git-ai) to proactive malware detection (Socket.dev).
Why is this category growing now?
Three trends: AI makes generating plausible contributions trivial, undermining traditional trust signals; supply chain attacks keep escalating (the spring 2026 wave hit PyPI, npm, and GitHub Actions in the same quarter); and regulators are arriving — EU AI Act machine-readable AI-content disclosure enforcement begins August 2026.
What is the minimum trust stack for an open source project?
At minimum: Sigstore signing (free via GitHub Artifact Attestations or npm trusted publishing), OpenSSF Scorecard for automated health checks, zizmor in CI if you use GitHub Actions, and Socket.dev for dependency monitoring. High-value projects add SLSA L3 provenance and in-toto attestation.
How do teams attribute AI-written code?
git-ai records line-level provenance (agent, model, prompt) in Git Notes that survive rebases. Vouch addresses the complementary question — whether the human submitting the work is trusted at all.
Executive Summary
Trust in software has become a multi-layered problem. Who wrote this code — and was it a human? Was this artifact built correctly? Did the CI pipeline itself get compromised? Is this dependency safe? The XZ Utils backdoor proved trusted maintainers can be compromised; the spring 2026 incident wave — PyTorch Lightning on PyPI, the TanStack worm that pushed 84 malicious artifacts through a compromised GitHub Actions pipeline in six minutes, the Miasma npm campaign — proved every layer is under active attack.[1]
Meanwhile a new trust question went mainstream: what wrote this code? Roughly 41% of new code is AI-assisted with no structured provenance, Microsoft's forced Copilot co-author experiment triggered a community revolt, and EU AI Act disclosure enforcement begins August 2026.
The trust stack now has five layers:
- Contributor trust — Is this person trusted? (Vouch)
- Code provenance — What wrote this line, with which model and prompt? (git-ai)
- Artifact & build trust — Was this built correctly, by authorized systems? (Sigstore, SLSA, in-toto)
- Pipeline trust — Is the CI workflow itself exploitable? (zizmor)
- Dependency trust — Are my dependencies safe and healthy? (Socket.dev, OpenSSF Scorecard)
…and a query layer that ties the evidence together: GUAC's supply-chain knowledge graph.
Market Map
Contributor & Code Provenance
| Tool | Approach | Key Differentiator |
|---|---|---|
| Vouch | Web-of-trust vouching | Contributors must be vouched by trusted members; Ghostty runs it in production (250+ vouched)[2] |
| git-ai | Line-level AI provenance | Records agent/model/prompt per line in Git Notes, surviving rebase; Agent Trace spec; Thoughtworks Radar[3] |
| Entire | Agent session capture | Checkpoints CLI indexes agent prompts/transcripts alongside git commits; ex-GitHub-CEO Dohmke, $60M seed; added June 2026 |
Artifact & Build Trust
| Tool | Approach | Key Differentiator |
|---|---|---|
| Sigstore | Keyless artifact signing | De facto standard — npm, PyPI, Homebrew, GitHub attestations; Rekor v2; now signing AI models (OMS)[4] |
| SLSA | Build provenance framework | Spec v1.2 with approved Source track; GitHub ships Build L2 by default[5][6] |
| in-toto | Supply chain attestation | CNCF graduated (Apr 2025); the attestation format beneath SLSA and GitHub attestations[7] |
Pipeline Trust
| Tool | Approach | Key Differentiator |
|---|---|---|
| zizmor | Static CI auditing | 38 audit classes for GitHub Actions (injection, cache poisoning, impostor commits); 500+ adopters incl. CPython, cURL, Rust[8] |
Dependency Trust
| Tool | Approach | Key Differentiator |
|---|---|---|
| Socket.dev | Behavioral analysis | Proactive detection before CVEs exist; flagged the Axios compromise in 6 minutes; $1B valuation[9][10] |
| OpenSSF Scorecard | Automated project scoring | 18 checks, 1M+ repos scored weekly — useful hygiene signal, though research shows scores don't predict fewer vulnerabilities[11] |
Evidence Aggregation
| Tool | Approach | Key Differentiator |
|---|---|---|
| GUAC | Knowledge graph | Ingests SBOMs, SLSA/in-toto attestations, Scorecard, VEX, OSV into one queryable graph (OpenSSF incubating)[12] |
The Trust Stack
These tools are complementary, not competitive. A complete implementation layers them:
| Layer | Tool | What It Verifies | When |
|---|---|---|---|
| Who contributed? | Vouch | Contributor identity and community trust | Before merge |
| What wrote it? | git-ai | Agent/model/prompt per line | At commit |
| Is the pipeline safe? | zizmor | Actions workflow flaws | In CI, continuously |
| Is the package safe? | Socket.dev | Dependency behavior | On dependency change |
| Is the project healthy? | OpenSSF Scorecard | Security practices | Continuous |
| Was it signed? | Sigstore (Cosign) | Artifact authenticity | On release |
| Where was it built? | SLSA + in-toto | Build provenance and steps | On build |
| What does it all mean? | GUAC | Cross-evidence queries ("what depends on the compromised package?") | On incident / audit |
The TanStack Lesson
The XZ Utils backdoor taught the category that maintainers can be compromised. The TanStack worm (April–May 2026) taught it that pipelines can be: the attacker entered through a GitHub Actions workflow and shipped 84 malicious artifacts across 42 packages in six minutes — faster than any human review cycle.[1] That is why pipeline auditing (zizmor), provenance-by-default (GitHub attestations, npm trusted publishing[6]), and behavioral detection (Socket) now sit alongside signing in the minimum stack.
What Changed Since March
- Socket.dev became the category's first unicorn — $60M Series C at $1B (Thrive Capital, May 2026), 27,000+ orgs, customers including Anthropic, Cursor, and Vercel; shipped the free Socket Firewall[10]
- AI attribution went from theory to fight — VS Code shipped (then default-enabled, then walked back) Copilot co-author trailers; git-ai and the Agent Trace spec emerged as the structured answer[3]
- Provenance became default-on — GitHub Artifact Attestations ship SLSA Build L2 out of the box; npm trusted publishing auto-generates Sigstore-logged provenance[6]
- Sigstore extended to AI models — the OpenSSF Model Signing spec uses Sigstore's bundle format; NVIDIA signs all NGC models with it[4]
- Consolidation — Phylum's tech was absorbed into Veracode; Stacklok pivoted to MCP agent infrastructure, orphaning Minder; Chainguard raised $356M at $3.5B as the secure-artifact supplier adjacent to this category
Choosing the Right Tools
Open source maintainer drowning in AI-generated PRs → Vouch gates who can contribute; git-ai records what wrote the code that gets in.
You use GitHub Actions → zizmor in CI, today. The spring attack wave went through pipelines.
Engineering team consuming many dependencies → Socket.dev for behavioral detection; OpenSSF Scorecard for upstream hygiene signals.
You publish artifacts → Sigstore signing — free by default via GitHub attestations or npm trusted publishing — and SLSA provenance levels as the maturity ladder, with in-toto attestations underneath.
Security team that needs to answer "are we affected?" in minutes → GUAC to query all of the above as one graph.
Compliance-driven (EU AI Act, August 2026) → git-ai for machine-readable AI-content provenance is the closest shipped tool to the requirement.
Bottom Line
The category matured along two axes since March. Vertically, each layer hardened: Sigstore shipped Rekor v2 and model signing, SLSA's Source track was approved, Socket reached unicorn scale. Horizontally, two new layers emerged: pipeline trust (zizmor, after attackers moved into CI) and AI code provenance (git-ai, after the industry realized 41% of its code has no answer to "what wrote this").
The minimum stack is no longer optional for serious projects, and most of it is now free and default-on. The open questions for the next cycle: whether the Agent Trace spec becomes the standard for AI provenance the way in-toto did for build attestation, and whether the trust stack consolidates into platforms (GitHub, Socket, Chainguard) or stays composable.
Research by Ry Walker Research • methodology