AI agent governance, security tooling, and mechanical enforcement.

rigscore

  • #hygiene
  • #security
  • #ai
  • #cli
  • #open-source
  • #devtools

Scope. rigscore measures configuration hygiene, not runtime security: it reads the files on disk — governance docs, MCP configs, Docker settings, skill files, permissions — and scores what they say. Pair it with a runtime scanner and source-level SAST; see known limits and verify rigscore.

Two scores

One local command runs 28 checks — 13 scored plus 15 advisory — and prints two independent 100-point scores, each A–F: Security (hygiene) and Practice. Fully offline: no token, no data leaves the machine.

npx github:Back-Road-Creative/rigscore

Requires Node >= 18.17. --online adds site probes and MCP supply-chain checks.


Sample output

  rigscore v2.1.0

  [X]   MCP server configuration  [mechanical]  CRITICAL "filesystem" mounts /
  [OK]  Cross-config coherence    [keyword]     governance matches config
  [ADV] Semantic tool judge       [pattern]     advisory — run with --semantic

  HYGIENE 78/100 (B)   ·   Practice 71/100 (B)
  Grade: B

  Each row's [mechanical] / [pattern] / [keyword] tag shows how its points
  are earned (see the legend below).

Why rigscore

  • The only cross-config coherence pass. rigscore reads your governance claims and checks them against your actual configuration, catching contradictions single-surface scanners miss — a CLAUDE.md that forbids /etc while the MCP config mounts /, a “no shell” rule sitting next to a shell server with filesystem access. A config that is honestly insecure scores better than one that lies about its posture.
  • A second axis nobody else scores. Alongside Security, every scan prints a Practice score — does this team drive its agents well? — from loop governance, spec goals, workflow maturity, and sandbox posture. Most scanners grade the config; rigscore also grades the workflow.
  • Full power offline, whole surface, one score. Every scored check runs with no token, no account, and no data leaving the machine (--online only adds optional probes) — and instructions, permissions, MCP, skills, hooks, CI, Docker, and env all fold into one A–F grade and an embeddable badge, not a single-tool silo.

Fix what it finds

rigscore . --fix dry-runs every auto-fixable issue — plus the starter packs that target your red checks — and writes nothing. --fix --yes applies the safe, file-level fixes to files you already have; --fix --yes --install-packs also scaffolds guard packs for the major AI clients wherever a check is red. To install a single pack on its own, run rigscore init --<pack>. The full flag ladder lives in the command reference.


What it checks

Scored checks (13 · 100 points)

CheckWeightCategory
Cross-config coherence14governance
MCP server configuration14supply-chain
Governance documentation10governance
Skill file safety10supply-chain
Claude settings safety8governance
Deep source secrets8secrets
Secret exposure8secrets
Credential storage hygiene6secrets
Docker security6isolation
Infrastructure security6process
Permissions hygiene4process
Unicode steganography4governance
Git hooks2process

AI-specific checks (MCP, coherence, skill files, governance docs) hold 48 of the 100 points; the rest cover secrets, container isolation, infrastructure, hygiene.

Advisory checks (15 · zero weight)

Advisory checks carry zero Security weight; several score on the Practice axis instead.

CheckCategoryEnforcement
Agent output schemasgovernancemechanical
AI disclosuregovernancekeyword
CI agent capsprocesspattern
Documentation coverageprocessmechanical
Instruction effectivenessgovernancekeyword
Loop governanceprocesspattern
Memory hygienegovernancemechanical
Network exposureisolationmechanical
Sandbox postureisolationmechanical
Semantic tool-description judgesupply-chainpattern
Site securityisolationmechanical
Skill ↔ governance coherencegovernancekeyword
Spec goalsgovernancekeyword
Windows/WSL securityisolationmechanical
Workflow maturitygovernancekeyword

Scoring

ScoreGradeMeaning
90–100AStrong hygiene posture
75–89BGood foundation, some gaps
60–74CModerate risk, needs attention
40–59DSignificant gaps
0–39FCritical issues, fix immediately
  • CRITICAL zeros out its sub-check; a coherence CRITICAL costs an extra 10 points.
  • WARNING deducts 15 each (1 = 85, 2 = 70, 3 = 55); INFO deducts 2 each, floored at 50 with no WARNINGs.
  • PASS / SKIPPED: no impact.

Coverage scaling: unscannable checks are marked N/A and their weight redistributed; the score scales by min(1, W / 100) for applicable weight W.

The Practice score

Every scan prints a second 100-point axis. Security asks is this rig safe? Practice asks does this team drive its agents well?

Practice checkWeight
Loop governance25
Spec goals20
Workflow maturity20
Sandbox posture15
CI agent caps10
Memory hygiene5
AI disclosure5

Practice checks contribute zero to Security. A repo with no practice surface prints Practice: n/a, not an unfair 0/100; --json reports practiceScore (number or null). The cross-config coherence pass and this second axis are what set rigscore apart — see Why rigscore.

Enforcement-grade labels

Each check’s label shows how its points are earned; it is display-only.

  • [mechanical] — deterministic config inspection, ungameable by wording. 15 of 28.
  • [pattern] — regex/structural scan, evadable only by novel obfuscation. 7 of 28.
  • [keyword] — phrase presence in governance prose, gameable by keyword-stuffing (see known limits). 6 of 28.

Scoring profiles

A profile is a weight map. Five ship built in:

ProfileUse-case
defaultBalanced AI dev environment audit
minimalSmoke test — AI-moat checks only
ciCI pipelines (identical to default today)
homeSingle-user dev boxes — infra/docker/windows off
monorepoMulti-project repos — hints --recursive --depth 3
npx github:Back-Road-Creative/rigscore --profile minimal

Resolution order: --profile, then project .rigscorerc.json, then ~/.rigscorerc.json, then default. Custom weights: promote an advisory check into the scored lane (non-zero) or demote a scored one (0).


Compliance report

--report compliance groups findings by framework control — deterministic text, diffable in CI or for an auditor:

npx github:Back-Road-Creative/rigscore --report compliance .
FrameworkStatusCoverage
OWASP Top 10 for Agentic Applications 2026Finalfull
OWASP MCP Top 10Beta (pilot)partial
NIST AI RMF 1.0Finalfull
EU AI Act — Regulation (EU) 2024/1689In force, phasedfull

The table only claims what it can prove: controls with no supporting check print NOT EVIDENCED, and unmapped checks print UNMAPPED. Muted findings (suppress: / --ignore) are disclosed by count and id. Not with --recursive.


Limitations

rigscore is a configuration presence checker, not an enforcement tool. Read this before relying on the score as a governance quality signal.

  • Semantic reversal bypasses keyword checks. The governance checks (governance docs + coherence, 24 of the 100 scoring points) only confirm your file mentions concepts like “path restrictions”; stuffed headers over a body that dismantles them still pass. See test/keyword-gaming.test.js for the bypass list.
  • Injection detection is pattern-based. Unicode-normalized patterns catch common prompt-injection; encoded payloads, rephrasings, and homoglyphs can evade them.
  • Config-shape pinning only, not runtime tool descriptions. rigscore hashes each MCP server’s configured shape — {command, args, envKeys} — and warns on change (CVE-2025-54136 / MCPoison class), but does not hash the tool descriptions a running server advertises. The mcp-hash / mcp-pin / mcp-verify workflow pins those operator-side.
  • Secret scanning covers named config files in the project root. Use --deep for recursive source, or a dedicated git-history secret scanner for git history.
  • Point-in-time snapshots only. No continuous monitoring, no git-history scan.
  • Score depends on project shape. rigscore ships 28 checks; an npm package legitimately sees most as N/A. rigscore itself is a package, not an agent workspace — no committed MCP config, no .claude/skills/, no per-client rule sets — so only a minority apply. See Dogfooding for the exact self-score.

Dogfooding

rigscore runs on rigscore in CI.

  • Self-score 37/100 (Grade F). The real score: as an npm package only 10 of its 28 apply (weight 46/100), the rest N/A.
  • CI threshold --fail-under 30. The baseline (37) minus a 7-point buffer; the public default is 70.
  • .rigscorerc.json disables four checks (infrastructure-security, skill-coherence, workflow-maturity, agent-output-schemas) needing artifacts rigscore doesn’t ship.

CI integration

GitHub Actions

1- uses: Back-Road-Creative/[email protected]
2  with:
3    fail-under: 70
4    upload-sarif: true

Or run directly:

- run: npx github:Back-Road-Creative/rigscore --ci --fail-under 70

Pin to a released tag (the action rejects @main-style refs); tags through v2.1.0 are available.

SARIF

rigscore emits SARIF v2.1.0: npx github:Back-Road-Creative/rigscore --sarif > results.sarif, uploaded via github/codeql-action/upload-sarif.

Baseline gate

Gate on new findings, not an absolute score: the first run writes the baseline; later runs report only findings not in it and exit 1 if any exist:

npx github:Back-Road-Creative/rigscore --baseline .rigscore-baseline.json

Commit the baseline: the gate reads the HEAD copy, so a deleted or corrupt working-tree baseline fails closed. Refresh with --baseline-refresh.

State file and MCP-shape gate

With a repo-level .mcp.json, a scan writes .rigscore-state.json: a SHA-256 pin of each MCP server’s {command, args, envKeys} shape (env keys only, never values). A changed pin flags a silent swap of a trusted server (the MCPoison class, CVE-2025-54136); an uncommitted pin detects nothing.

npx github:Back-Road-Creative/rigscore --verify-state

--verify-state is the read-only CI gate: it reads the pin at HEAD (a fresh pin can’t satisfy it) and exits 1 on drift, 2 if missing or corrupt, 0 if all match. --no-state-write skips the write on a borrowed checkout, flagging the lost coverage.

Runtime tool pinning

The state file above pins each MCP server’s configured shape. The tool descriptions a running server advertises are pinned separately, on demand — rigscore never launches the server itself (that would hand code execution to the thing you distrust), so it uses a print-and-paste workflow:

1npx -y <mcp-server-package> | rigscore mcp-hash | xargs rigscore mcp-pin <server>   # pin
2npx -y <mcp-server-package> | rigscore mcp-verify <server>                          # verify later

rigscore mcp-hash canonicalizes and hashes a tools/list JSON read from stdin; mcp-pin stores it in .rigscore-state.json; mcp-verify re-compares. Verify exits 0 on a match, 3 when nothing is pinned for that server, and 4 on drift — a tool description that silently changed under a trusted server (the CVE-2025-54136 rug-pull class). Each server also gets a zero-weight INFO during a normal scan showing whether its runtime hash is pinned.

Exit codes

CodeMeaning
0At or above --fail-under (baseline: no new findings)
1Below --fail-under, or new findings vs baseline
2Config error — bad .rigscorerc.json, unknown --profile, or corrupt baseline
3rigscore mcp-verify <server> with no runtime hash pinned
4rigscore mcp-verify <server> drift — the piped tools/list no longer matches the pinned runtime hash

Source and releases

← Back to Home