chain-bench v0.1.7 releases: auditing your software supply chain stack for security compliance


Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

Please Note

Chain-bench implements the CIS Software Supply Chain Benchmark as closely as possible. You can find the current implemented checks under AVD – Software Supply Chain CIS – 1.0 that update every night based on chain-bench metadata.json files Please raise issues here if chain-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.



It is required to provide an access token with permission to these scopes: repo(all), read:repo_hook, admin:org_hook, read:org

Quick start

There is a primary way to run chain-bench as a stand-alone cli, that requires the personal access token of your account and the repository url in order to access your SCM.


chain-bench scan –repository-url <REPOSITORY_URL> –access-token <TOKEN> -o <OUTPUT_PATH>

Changelog v0.1.7


Copyright (C) 2022 aquasecurity