Thirdpass Docs

Overview

Public documentation for Thirdpass.

Thirdpass coordinates supply chain review for open-source packages.

The core idea is that package reviews should be reusable. A review submitted for a package artifact can help every project that depends on that same artifact, instead of forcing each project to repeat the work alone.

What Thirdpass Does

Thirdpass has three main parts:

  • A CLI that runs reviews and checks projects from the terminal.
  • Ecosystem extensions that understand package registries and dependency files.
  • A server that assigns review work and stores submitted review coverage.

Main Workflows

Use review-any to contribute review coverage to the shared package pool:

thirdpass review-any --nightshift

Use review-deps inside a project to review packages your project already depends on. Completed reviews are saved in the project under .thirdpass/reviews/ so they can be committed with the dependency files:

thirdpass review-deps

Use check inside a project to compare its dependencies against submitted reviews and committed project reviews:

thirdpass check

Why Coverage Matters

Thirdpass reviews are file-focused. A package may have many files, and review coverage grows as more files are reviewed by more users or agents.

This makes coverage visible instead of binary. A package can be partly reviewed, fully reviewed, or reviewed several times by independent contributors.

Installation

Install the Thirdpass CLI and ecosystem extensions.

On this page

What Thirdpass DoesMain WorkflowsWhy Coverage Matters