chain-bench v0.1.7 releases: auditing your software supply chain stack for security compliance
Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.
Chain-bench implements the CIS Software Supply Chain Benchmark as closely as possible. You can find the current implemented checks under AVD – Software Supply Chain CIS – 1.0 that update every night based on chain-bench metadata.json files Please raise issues here if chain-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
It is required to provide an access token with permission to these scopes: repo(all), read:repo_hook, admin:org_hook, read:org
There is a primary way to run chain-bench as a stand-alone cli, that requires the personal access token of your account and the repository url in order to access your SCM.
chain-bench scan –repository-url <REPOSITORY_URL> –access-token <TOKEN> -o <OUTPUT_PATH>
- ea7d32d Add support for self-hosted SCM (#111)
- 012229c Bug: Fix Crashing when scanning gitlab with sub groups (#108)
- 7568310 Update README.md (#106)
- c117435 add missing copy command (#100)
- 2c5756d add missing tpl file in dockerbuild (#102)
- 7b31054 check branch protection obj not null (#115)
- dbccccd fix missing tpl files (#104)
- d687016 soft failure for failed in information fetching (#116)
Copyright (C) 2022 aquasecurity