{"id":13533022,"url":"https://github.com/aquasecurity/chain-bench","last_synced_at":"2025-10-13T07:22:23.395Z","repository":{"id":37008159,"uuid":"491440930","full_name":"aquasecurity/chain-bench","owner":"aquasecurity","description":"An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.","archived":false,"fork":false,"pushed_at":"2024-12-11T23:52:10.000Z","size":6024,"stargazers_count":752,"open_issues_count":20,"forks_count":65,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-07-27T00:47:46.755Z","etag":null,"topics":["cis","devsecops","go","golang","misconfiguration","open-policy-agent","security","security-tools","software-supply-chain","software-supply-chain-security","vulnera"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-12T09:08:00.000Z","updated_at":"2025-07-24T16:30:15.000Z","dependencies_parsed_at":"2023-01-17T12:49:05.506Z","dependency_job_id":"9fa0a06e-a4a7-4ed6-b21d-d0ed8029c2c0","html_url":"https://github.com/aquasecurity/chain-bench","commit_stats":{"total_commits":66,"total_committers":15,"mean_commits":4.4,"dds":0.5151515151515151,"last_synced_commit":"1f0436eb76c10ea898c15c6c09b7d77c4efe6d16"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/aquasecurity/chain-bench","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fchain-bench","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fchain-bench/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fchain-bench/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fchain-bench/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/chain-bench/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fchain-bench/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279014111,"owners_count":26085463,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis","devsecops","go","golang","misconfiguration","open-policy-agent","security","security-tools","software-supply-chain","software-supply-chain-security","vulnera"],"created_at":"2024-08-01T07:01:15.904Z","updated_at":"2025-10-13T07:22:23.337Z","avatar_url":"https://github.com/aquasecurity.png","language":"Go","funding_links":[],"categories":["Supply chain specific tools","Go","Build techniques","Application Security","Supply Chain Compliance"],"sub_categories":["Supply chain beyond libraries","Supply chain security"],"readme":"\u003cp align=\"center\"\u003e\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/imgs/banner_dm.png\"\u003e\n \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"docs/imgs/banner_lm.png\"\u003e\n \u003cimg alt=\"chain-bench logo\" src=\"docs/imgs/banner_lm.png\"\u003e\n\u003c/picture\u003e\n\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\n[📖 Documentation][docs]\n\nChain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new \n \u003ca href=\"docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf\"\u003eCIS Software Supply Chain benchmark\u003c/a\u003e.\nThe auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.\n\nRead more in the [Chain-bench Documentation][docs]\n\u003c/p\u003e\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/aquasecurity/chain-bench.svg?style=flat-square)](https://pkg.go.dev/github.com/aquasecurity/chain-bench)\n[![GitHub Release][release-img]][release]\n[![Downloads][download]][release]\n[![DockerHub Pulls][docker-pull-img]][docker-pull]\n[![Build Status](https://github.com/aquasecurity/chain-bench/workflows/Build/badge.svg?branch=main\u0026style=flat-square)](https://github.com/aquasecurity/chain-bench/actions)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square)](https://github.com/aquasecurity/chain-bench/blob/main/LICENSE)\n[![go-report-card][go-report-card]](https://goreportcard.com/report/github.com/aquasecurity/chain-bench)\n\n\u003c!-- ![coverage report](https://img.shields.io/codecov/c/github/aquasecurity/chain-bench?style=flat-square) --\u003e\n\n[download]: https://img.shields.io/github/downloads/aquasecurity/chain-bench/total?logo=github\u0026style=flat-square\n[release-img]: https://img.shields.io/github/release/aquasecurity/chain-bench.svg?logo=github\u0026style=flat-square\n[release]: https://github.com/aquasecurity/chain-bench/releases\n[docker-pull]: https://cloud.docker.com/repository/docker/aquasec/chain-bench\n[docker-pull-img]: https://img.shields.io/docker/pulls/aquasec/chain-bench.svg\n[go-report-card]: https://goreportcard.com/badge/github.com/aquasecurity/chain-bench?style=flat-square\n\n\u003cfigure style=\"text-align: center\"\u003e\n \u003cimg src=\"docs/imgs/demo.gif\" alt=\"demo\"\u003e\n\u003c/figure\u003e\n\n# Contents\n\n- [Contents](#contents)\n- [Introduction](#introduction)\n- [Quick start](#quick-start)\n - [Installation](#installation)\n - [Usage](#usage)\n - [Using docker](#using-docker)\n - [Using GitHub Actions](#using-github-actions)\n - [Using Gitlab CI (beta)](#using-gitlab-ci-beta)\n- [Requirements](#requirements)\n- [Supported Providers](#supported-providers)\n- [Please Note](#please-note)\n- [Contributing](#contributing)\n- [Roadmap](#roadmap)\n\n# Introduction\n\nChain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new [CIS Software Supply Chain benchmark](/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf).\nThe auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.\n\n# Quick start\n\nThe primary way to run chain-bench is as a standalone cli. It requires an access token for your account and the repository url in order to access your SCM.\n\n## Installation\n\nGet Chain-bench via your favorite installation method. See [installation] section in the documentation for details. For example:\n\n- `brew install chain-bench`\n- `nix-env --install -A nixpkgs.chain-bench`\n- `docker run aquasec/chain-bench`\n- Download binary from https://github.com/aquasecurity/chain-bench/releases/latest/\n\n## Usage\n\n```bash\nchain-bench scan --repository-url \u003cREPOSITORY_URL\u003e --access-token \u003cTOKEN\u003e -o \u003cOUTPUT_PATH\u003e\n```\n\n### Using Self-hosted or Dedicated SCM Platforms (with custom domains)\n\n```bash\nchain-bench scan --repository-url \u003cREPOSITORY_URL\u003e --scm-platform \u003cSCM_PLATFORM\u003e --access-token \u003cTOKEN\u003e -o \u003cOUTPUT_PATH\u003e\n```\n\nSupported options for `scm-platform` are `\"github\"` and `\"gitlab\"` (beta)\n\n### Using docker\n\n```bash\ndocker run aquasec/chain-bench scan --repository-url \u003cREPOSITORY_URL\u003e --access-token \u003cTOKEN\u003e\n```\n\n### Using GitHub Actions\n\nSee the repository at https://github.com/aquasecurity/chain-bench-action\n\n\u003cdetails\u003e\n\u003csummary\u003eExample output\u003c/summary\u003e\n\n```\n2022-06-13 15:22:18 INF 🚩\tFetch Starting\n2022-06-13 15:22:19 INF 🏢\tFetching Organization Settings Finished\n2022-06-13 15:22:29 INF 🛢️\tFetching Repository Settings Finished\n2022-06-13 15:22:29 INF 🌱\tFetching Branch Protection Settings Finished\n2022-06-13 15:22:29 INF 👫\tFetching Members Finished\n2022-06-13 15:22:31 INF 🔧\tFetching Pipelines Finished\n2022-06-13 15:22:31 INF 🏁\tFetch succeeded\n ID Name Result Reason\n-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------\n 1.1.3 Ensure any change to code receives approval of two strongly authenticated users Passed\n 1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal Failed\n 1.1.5 Ensure that there are restrictions on who can dismiss code change reviews Failed\n 1.1.6 Ensure code owners are set for extra sensitive code or configuration Failed\n 1.1.8 Ensure inactive branches are reviewed and removed periodically Failed 20 inactive branches\n 1.1.9 Ensure all checks have passed before the merge of new code Passed\n 1.1.10 Ensure open git branches are up to date before they can be merged into codebase Passed\n 1.1.11 Ensure all open comments are resolved before allowing to merge code changes Passed\n 1.1.12 Ensure verifying signed commits of new changes before merging Failed\n 1.1.13 Ensure linear history is required Passed\n 1.1.14 Ensure branch protection rules are enforced on administrators Failed\n 1.1.15 Ensure pushing of new code is restricted to specific individuals or teams Passed\n 1.1.16 Ensure force pushes code to branches is denied Failed\n 1.1.17 Ensure branch deletions are denied Failed\n 1.2.1 Ensure all public repositories contain a SECURITY.md file Failed\n 1.2.2 Ensure repository creation is limited to specific members Failed\n 1.2.3 Ensure repository deletion is limited to specific members Passed\n 1.2.4 Ensure issue deletion is limited to specific members Passed\n 1.3.1 Ensure inactive users are reviewed and removed periodically Failed 22 inactive users\n 1.3.3 Ensure minimum admins are set for the organization Passed\n 1.3.5 Ensure the organization is requiring members to use MFA Passed\n 1.3.7 Ensure 2 admins are set for each repository Failed\n 1.3.8 Ensure strict base permissions are set for repositories Passed\n 1.3.9 Ensure an organization's identity is confirmed with a Verified badge Failed\n 2.3.1 Ensure all build steps are defined as code Failed No build job was found in pipelines\n 2.3.5 Ensure access to the build process's triggering is minimized Passed\n 2.3.7 Ensure pipelines are automatically scanned for vulnerabilities Passed\n 2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files Failed Repository is not scanned for secrets\n 2.4.2 Ensure all external dependencies used in the build process are locked Failed 16 task(s) are not pinned\n 2.4.6 Ensure pipeline steps produce an SBOM Passed\n 3.1.7 Ensure dependencies are pinned to a specific, verified version Failed 16 dependencies are not pinned\n 3.2.2 Ensure packages are automatically scanned for known vulnerabilities Passed\n 3.2.3 Ensure packages are automatically scanned for license implications Passed\n 4.2.3 Ensure user's access to the package registry utilizes MFA Passed\n 4.2.5 Ensure anonymous access to artifacts is revoked Passed\n 4.3.4 Ensure webhooks of the package registry are secured Passed\n-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------\n Total Passed Rules: 19 out of 36\n2022-06-13 15:22:31 INF Scan completed: 13.108s\n```\n\u003c/details\u003e\n\n\n### Using Gitlab CI (beta)\n\nYou can integrated chain-bench results into [Gitlab Vulnrability Report](https://docs.gitlab.com/ee/user/application_security/vulnerability_report/) by adding a new step within your CI defintion:\n```\nchain-bench-scanning:\n stage: test\n image:\n name: docker.io/aquasec/chain-bench\n entrypoint: [\"\"]\n script:\n - chain-bench scan --repository-url $CI_PROJECT_URL --access-token $CHAIN_BENCH_TOKEN --scm-platform gitlab -o results.json --template @/templates/gitlab_security_scanner.tpl\n artifacts:\n reports:\n container_scanning: results.json\n```\n* You have to create new [token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) with `Maintainer` role that has `read_api` \u0026 `read_repository` permission and use it as environment variables (eg. $CHAIN_BENCH_TOKEN)\n\n\n# Requirements\n\nIt is required to provide an access token with permission to these scopes: `repo`(all), `read:repo_hook`, `admin:org_hook`, `read:org`\n\n# Supported Providers\n\nWe currently support Github and Gitlab SCMs, with PAT authentication.\n\n# Please Note\n\nChain-bench implements the CIS Software Supply Chain Benchmark as closely as possible.\nYou can find the current implemented checks under [AVD - Software Supply Chain CIS - 1.0](https://avd.aquasec.com/compliance/softwaresupplychain/cis-1.0/) that update every night based chain-bench metadata.json files\nPlease raise issues here if chain-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.\n\n# Contributing\n\nKindly read [Contributing](CONTRIBUTING.md) before contributing.\nWe welcome PRs and issue reports.\n\n# Roadmap\n\nGoing forward we plan to release updates to chain-bench to increase the benchmark coverage with more checks and support more platforms.\nchain-bench is an Aqua Security open source project part of Trivy Family.\n\n[docs]: https://github.com/aquasecurity/chain-bench/blob/main/docs/\n[installation]: https://github.com/aquasecurity/chain-bench/blob/main/docs/getting-started/installation.md\n\u003c!-- TODO: swap to GH pages\n[docs]: https://aquasecurity.github.io/chain-bench\n[installation]: https://aquasecurity.github.io/chain-bench/latest/docs/getting-started/installation/\n--\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fchain-bench","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fchain-bench","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fchain-bench/lists"}