chain-bench v0.1.8 releases: auditing your software supply chain stack for security compliance

chain-bench

Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

Please Note

Chain-bench implements the CIS Software Supply Chain Benchmark as closely as possible. You can find the current implemented checks under AVD – Software Supply Chain CIS – 1.0 that update every night based on chain-bench metadata.json files Please raise issues here if chain-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

Use

Requirement

It is required to provide an access token with permission to these scopes: repo(all), read:repo_hook, admin:org_hook, read:org

Quick start

There is a primary way to run chain-bench as a stand-alone cli, that requires the personal access token of your account and the repository url in order to access your SCM.

Example

chain-bench scan –repository-url <REPOSITORY_URL> –access-token <TOKEN> -o <OUTPUT_PATH>

Changelog v0.1.8

• ef1190d Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#134)

Download

Copyright (C) 2022 aquasecurity