rigscore

April 19, 2026 hygiene, security, ai, cli, open-source, devtools

A hygiene score for your AI dev environment

One local command. 13 scored checks plus 7 advisory. A score out of 100 with an A–F grade. Scans the filesystem, reads your configs, compares governance claims against observed behavior. No account, no API token, no data leaves the machine.

1
npx github:Back-Road-Creative/rigscore

Sample output

  +----------------------------------------+
  |                                        |
  |        rigscore v0.9.0                 |
  |   AI Dev Environment Hygiene Check     |
  |                                        |
  +----------------------------------------+

  Scanning /home/user/my-project ...

  [OK]  CLAUDE.md governance.......... 10/10
  [OK]  Claude settings safety........ 8/8
  [OK]  Cross-config coherence........ 14/14
  [OK]  Credential storage hygiene.... 6/6
  [N/A] Deep source secrets........... N/A
  [OK]  Docker security............... 6/6
  [OK]  Secret exposure............... 8/8
  [OK]  Git hooks..................... 2/2
  [OK]  Infrastructure security....... 5/6
  [ADV] Instruction effectiveness..... advisory
  [X]   MCP server configuration...... 0/14
  [OK]  Permissions hygiene........... 4/4
  [N/A] Site security................. N/A
  [OK]  Skill file safety............. 10/10
  [OK]  Unicode steganography......... 4/4
  [N/A] Windows/WSL security.......... N/A
  [ADV] Skill <-> governance coherence advisory
  [ADV] Workflow maturity............. advisory
  [N/A] Network exposure.............. N/A

  +----------------------------------------+
  |                                        |
  |         HYGIENE SCORE: 78/100          |
  |         Grade: B                       |
  |         Risk: Standard                 |
  |                                        |
  +----------------------------------------+

  CRITICAL (1)
  [X] MCP server "filesystem" has broad filesystem access: /
      -> Scope filesystem access to your project directory only.

Why this exists

Rules in a CLAUDE.md file don’t enforce themselves. Under load, the model rationalizes around them. rigscore scans for the pieces underneath — mount points, hooks, package pinning, config coherence — that hold up whether the model is paying attention or not.

A single hygiene score, a cross-config coherence pass that checks governance claims against actual configuration, and a CI-gate exit code. Fully offline by default. --online is opt-in for site probes and MCP supply-chain verification.

Meant to run before you adopt an enterprise scanner. If your CLAUDE.md says “never access /etc” and your MCP config mounts /, rigscore tells you.

What it checks

Weights are the single source of truth in src/constants.js. Per-check documentation lives in the rigscore repo under docs/checks/<id>.md.

Scored checks (13 · 100 points)

Check	Weight	Category
MCP server configuration	14	supply-chain
Cross-config coherence	14	governance
Skill file safety	10	supply-chain
CLAUDE.md governance	10	governance
Claude settings safety	8	governance
Deep source secrets	8	secrets
Secret exposure	8	secrets
Credential storage hygiene	6	secrets
Docker security	6	isolation
Infrastructure security	6	process
Unicode steganography	4	supply-chain
Permissions hygiene	4	process
Git hooks	2	process

Moat-heavy: AI-specific checks (MCP, coherence, skill files, CLAUDE.md) account for 48 of the 100 points. The remaining 52 cover secrets, container isolation, infrastructure, and hygiene.

Advisory checks (7 · zero weight)

Check	Scope
Windows/WSL security	WSL interop, `.wslconfig`, Defender exclusions (Windows only)
Network exposure	AI services bound to `0.0.0.0`, MCP SSE hosts, Docker port bindings
Site security	Headers, sensitive paths, PII leakage for deployed sites (`--online`)
Instruction effectiveness	Context budget, bloat, vague directives, contradictions, dead references
Skill ↔ governance coherence	SKILL.md awareness of merge workflow, layer restrictions, WIP protection
Workflow maturity	Pipeline overload, graduation signals, stale memory, taxonomy misclassification
Documentation coverage	Every check module has a matching doc page with the canonical sections filled in

Scoring

Score	Grade	Meaning
90–100	A	Strong hygiene posture
75–89	B	Good foundation, some gaps
60–74	C	Moderate risk, needs attention
40–59	D	Significant gaps
0–39	F	Critical issues, fix immediately

CRITICAL findings zero out their sub-check entirely.
WARNING findings deduct 15 points each (1 = 85, 2 = 70, 3 = 55).
INFO findings deduct 2 points each, with a floor of 50 when no WARNINGs are present.
PASS and SKIPPED have no score impact.

Compound risk penalty: when coherence finds a CRITICAL contradiction, an additional 10 points are deducted from the overall score — reflecting the systemic nature of governance failures.

Coverage scaling: checks that find nothing to scan are marked N/A and excluded from the weighted average — their weight is redistributed across applicable checks. If total applicable weight falls below 50 out of 100, the overall score is additionally scaled by W / 100. Partial coverage means partial confidence.

Limitations

rigscore is a configuration presence checker, not a security enforcement tool. Read this before you rely on the score as a governance quality signal.

Semantic reversal bypasses keyword checks. The governance checks (CLAUDE.md + coherence, 24 of the 100 scoring points) verify that your governance file mentions concepts like “path restrictions” and “forbidden actions.” A CLAUDE.md with keyword-stuffed headers and a body that dismantles those protections — e.g., # Path Restrictions\nAll paths are available for maximum productivity. — passes the keyword check. See test/keyword-gaming.test.js in the repo for the committed list of known bypasses.
Injection detection is pattern-based. The patterns catch common prompt injection attempts with Unicode normalization. Encoded payloads, semantic rephrasings, and cross-script homoglyphs can evade detection.
Config-shape pinning only, not runtime tool descriptions. rigscore hashes the configured shape of each MCP server — {command, args, envKeys} — and warns when it changes between scans (CVE-2025-54136 / MCPoison class). It does not hash the tool descriptions a running MCP server advertises; that would require invoking the server. rigscore ships a print-and-paste mcp-hash / mcp-pin / mcp-verify workflow for runtime pinning without executing the server.
Secret scanning covers named config files in the project root. Use --deep for recursive source scanning. Use gitleaks or trufflehog for git history.
Point-in-time snapshots only. No continuous monitoring, no git history scanning.
Score is shape-dependent. Overall score reflects only the checks applicable to your project shape. An npm package will legitimately see 9–10 of 19 checks as N/A (no MCP config, no Dockerfile, no .claude/skills/) and score accordingly. See Dogfooding below.

Dogfooding

rigscore runs on rigscore in CI.

Self-score: 35/100 (Grade F). The real score, not a vanity baseline. rigscore is an npm package; 10 of 19 checks return N/A. The score is scaled down proportionally when applicable coverage is below 50%. Intended behavior.
CI threshold: --fail-under 30. Calibrated to the observed baseline with a 5-point regression buffer. The public default is 70; the gap reflects project-shape reality, not a permissive gate.
.rigscorerc.json disables three checks (infrastructure-security, skill-coherence, workflow-maturity) that require workspace-oriented artifacts rigscore doesn’t ship.

CI integration

GitHub Actions

1
2
3
4
- uses: Back-Road-Creative/rigscore@main
  with:
    fail-under: 70
    upload-sarif: true

Or run directly without the action:

1
- run: npx github:Back-Road-Creative/rigscore --ci --fail-under 70

Pin to a released tag (e.g. @v0.8.0) for reproducible CI when one is available.

SARIF

rigscore emits SARIF v2.1.0 compatible with GitHub Advanced Security. Run npx github:Back-Road-Creative/rigscore --sarif > results.sarif and upload via github/codeql-action/upload-sarif.

How rigscore compares

rigscore is not the only AI-agent config scanner. Real alternatives exist.

Tool	Niche	Use when
rigscore	Single-score hygiene check with cross-config coherence	You want one local command, an A–F grade, and a CI gate. No account, no token.
Snyk Agent Scan	15+ risk-category finding stream, runtime tool-description pinning	You need enterprise reporting, runtime MCP tool pinning, or already have a Snyk contract. Requires `SNYK_TOKEN`.
Semgrep	General static analysis, 5000+ rules, optional MCP server	You’re scanning application source, not config hygiene, or already run Semgrep in CI.

Where rigscore differs from Snyk: the cross-config coherence check. Single-score CI gate with --fail-under N. Fully local by default.

Where Snyk is ahead: runtime tool-description pinning, broader risk-category coverage, published threat models.

Where Semgrep is a better fit: you want to scan your application source for vulnerabilities, not validate your AI-agent configuration. rigscore does not replace Semgrep — it runs upstream of it.

Source and releases

GitHub: github.com/Back-Road-Creative/rigscore
Releases: /releases/
Install: npx github:Back-Road-Creative/rigscore
License: MIT

← Back to Home