Chain-bench is an open source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

You can run the tool from a CLI, assuming your code is hosted on GitHub (more SCM hosts coming soon):

chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>

I couldn’t find a comprehensive list of what checks are in the benchmark, but it appears they are referring to this guide. You can see what an example run’s results like like in the README.