Automic VaultAutomic Vault

brew

Install chain-bench with Homebrew, Nix

Software supply chain auditing tool based on CIS benchmark. Version 0.1.10 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install chain-bench

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#chain-bench

nixpkgs package indexes · pkgs/by-name/ch/chain-bench/package.nix · source: api.github.com

overview

Package summary

Software supply chain auditing tool based on CIS benchmark

Commands and aliases

  • chain-bench

history

Project history and usage

Chain-bench is Aqua Security's open-source CLI for auditing software supply-chain posture against the CIS Software Supply Chain Security Guide. Its history is bound to the 2022 CIS/Aqua push to make supply-chain controls measurable across source code, build pipelines, dependencies, artifacts, and deployment.

Project history

Aqua announced Chain-bench on June 22, 2022 alongside the CIS Software Supply Chain Security Guide, describing it as an open-source auditing tool for the new CIS guidelines. The official README says Chain-bench scans the software delivery lifecycle from code time through deploy time and implements CIS Software Supply Chain Benchmark checks.

Adoption history

The official README documents installation through Homebrew, Nix, Docker, GitHub releases, and GitHub Actions, with GitLab CI support described as beta. Aqua's July 2022 blog also listed GitHub Action, Docker image, executable releases, and NixOS package routes, showing the project was designed to be consumed both locally and in CI.

How it is used

Users provide a repository URL and an SCM access token, then run chain-bench scan to collect organization, repository, branch protection, member, and pipeline settings and report pass/fail results for CIS controls. The README documents GitHub and GitLab SCM support, personal access token requirements, Docker usage, and CI integration.

Why package nerds care

Chain-bench is interesting to package maintainers because it packages a compliance benchmark as a CLI, Docker image, GitHub Action, and distro package instead of only as a SaaS feature. That makes it part of the post-SolarWinds/log4j supply-chain tooling wave where checklists became runnable developer tools.

Timeline

  • 2022: Aqua and CIS released the Software Supply Chain Security Guide and Aqua unveiled Chain-bench.
  • 2022: Aqua published a getting-started blog for auditing CIS compliance with Chain-bench.
  • 2026: The README documents Brew, Nix, Docker, release binaries, GitHub Actions, and beta GitLab CI usage.

Related projects

  • Chain-bench is related to the CIS Software Supply Chain Security Guide, Aqua Vulnerability Database compliance checks, Trivy-family Aqua open-source tooling, GitHub Actions, GitLab CI, and SCM platforms such as GitHub and GitLab.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
chain-benchcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.1.10
manager updated
local dataok
upstreamcurrent
latest detectedv0.1.10

https://github.com/aquasecurity/chain-bench

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:chain-bench
Version0.1.10
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/chain-bench
Homepagehttps://github.com/aquasecurity/chain-bench
Repositoryhttps://github.com/aquasecurity/chain-bench
Upstream docshttps://aquasecurity.github.io/chain-bench
LicenseApache-2.0
Source archivehttps://github.com/aquasecurity/chain-bench/archive/refs/tags/v0.1.10.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namechain-bench
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

chain-bench

nix profile install nixpkgs#chain-bench
  • normalized package name match
  • Matched by: Chain Bench
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ch/chain-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment