# Install chain-bench with Homebrew, Nix

Software supply chain auditing tool based on CIS benchmark. Version 0.1.10 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:chain-bench
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install chain-bench
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#chain-bench
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ch/chain-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:chain-bench
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/chain-bench>
- **Version:** 0.1.10
- **Source summary:** Software supply chain auditing tool based on CIS benchmark
- **Homepage:** <https://github.com/aquasecurity/chain-bench>
- **Repository:** <https://github.com/aquasecurity/chain-bench>
- **Upstream docs:** <https://aquasecurity.github.io/chain-bench>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/aquasecurity/chain-bench/archive/refs/tags/v0.1.10.tar.gz>
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- chain-bench (cli)
- chain-bench (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.1.10
- Local data: ok
- Upstream repository: https://github.com/aquasecurity/chain-bench
- Upstream latest detected: v0.1.10 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

Chain-bench is Aqua Security's open-source CLI for auditing software supply-chain posture against the CIS Software Supply Chain Security Guide. Its history is bound to the 2022 CIS/Aqua push to make supply-chain controls measurable across source code, build pipelines, dependencies, artifacts, and deployment.

### Project history

Aqua announced Chain-bench on June 22, 2022 alongside the CIS Software Supply Chain Security Guide, describing it as an open-source auditing tool for the new CIS guidelines. The official README says Chain-bench scans the software delivery lifecycle from code time through deploy time and implements CIS Software Supply Chain Benchmark checks.

### Adoption history

The official README documents installation through Homebrew, Nix, Docker, GitHub releases, and GitHub Actions, with GitLab CI support described as beta. Aqua's July 2022 blog also listed GitHub Action, Docker image, executable releases, and NixOS package routes, showing the project was designed to be consumed both locally and in CI.

### How it is used

Users provide a repository URL and an SCM access token, then run chain-bench scan to collect organization, repository, branch protection, member, and pipeline settings and report pass/fail results for CIS controls. The README documents GitHub and GitLab SCM support, personal access token requirements, Docker usage, and CI integration.

### Why package nerds care

Chain-bench is interesting to package maintainers because it packages a compliance benchmark as a CLI, Docker image, GitHub Action, and distro package instead of only as a SaaS feature. That makes it part of the post-SolarWinds/log4j supply-chain tooling wave where checklists became runnable developer tools.

### Timeline

- 2022: Aqua and CIS released the Software Supply Chain Security Guide and Aqua unveiled Chain-bench.
- 2022: Aqua published a getting-started blog for auditing CIS compliance with Chain-bench.
- 2026: The README documents Brew, Nix, Docker, release binaries, GitHub Actions, and beta GitLab CI usage.

### Related projects

- Chain-bench is related to the CIS Software Supply Chain Security Guide, Aqua Vulnerability Database compliance checks, Trivy-family Aqua open-source tooling, GitHub Actions, GitLab CI, and SCM platforms such as GitHub and GitLab.

### Sources

- <https://github.com/aquasecurity/chain-bench#readme>
- <https://github.com/aquasecurity/chain-bench/tree/main/docs>
- <https://www.aquasec.com/news/software-supply-chain-security-guide-cis-aqua-security/>
- <https://www.aquasec.com/blog/cis-software-supply-chain-compliance/>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** chain-bench
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - chain-bench: normalized package name match | nixpkgs package indexes: pkgs/by-name/ch/chain-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [zizmor](https://www.automicvault.com/pkg/brew/zizmor/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [opensca-cli](https://www.automicvault.com/pkg/brew/opensca-cli/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [ratchet](https://www.automicvault.com/pkg/brew/ratchet/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [slsa-verifier](https://www.automicvault.com/pkg/brew/slsa-verifier/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [witness](https://www.automicvault.com/pkg/brew/witness/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [kube-bench](https://www.automicvault.com/pkg/brew/kube-bench/) - Security-sensitive metadata or terminology overlaps. Shared terms: bench, benchmark, cis, cis-benchmark, cli.

## Combined YAML source

View the package source record on GitHub. [combined/chain-bench.yml](https://github.com/automic-vault/db/blob/main/combined/chain-bench.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
