chain-bench v0.1.7 releases: auditing your software supply chain stack for security compliance

chain-bench

Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

Please Note

Chain-bench implements the CIS Software Supply Chain Benchmark as closely as possible. You can find the current implemented checks under AVD – Software Supply Chain CIS – 1.0 that update every night based on chain-bench metadata.json files Please raise issues here if chain-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

Use

Requirement

It is required to provide an access token with permission to these scopes: repo(all), read:repo_hook, admin:org_hook, read:org

Quick start

There is a primary way to run chain-bench as a stand-alone cli, that requires the personal access token of your account and the repository url in order to access your SCM.

Example

chain-bench scan –repository-url <REPOSITORY_URL> –access-token <TOKEN> -o <OUTPUT_PATH>

Changelog v0.1.7

• ea7d32d Add support for self-hosted SCM (#111)
• 012229c Bug: Fix Crashing when scanning gitlab with sub groups (#108)
• 7568310 Update README.md (#106)
• c117435 add missing copy command (#100)
• 2c5756d add missing tpl file in dockerbuild (#102)
• 7b31054 check branch protection obj not null (#115)
• dbccccd fix missing tpl files (#104)
• d687016 soft failure for failed in information fetching (#116)

Download

Copyright (C) 2022 aquasecurity