rigscore

Scope. rigscore measures configuration hygiene, not runtime security. It reads the files on disk — governance docs, MCP configs, Docker settings, skill files, permissions — and scores what they say. It does not observe the running agent, intercept tool calls, or hash live MCP tool descriptions. It complements Snyk Agent Scan and Semgrep; it does not replace them. See known limits for what rigscore does not catch, and verify rigscore for how to audit the tool itself before running it.

A hygiene score for your AI dev environment

One local command. 13 scored checks plus 7 advisory. A score out of 100 with an A–F grade. Scans the filesystem, reads your configs, compares governance claims against observed behavior. No account, no API token, no data leaves the machine.

npx github:Back-Road-Creative/rigscore

Sample output

  +----------------------------------------+
  |                                        |
  |        rigscore v2.0.0                 |
  |   AI Dev Environment Hygiene Check     |
  |                                        |
  +----------------------------------------+

  Scanning /home/user/my-project ...

  [OK]  CLAUDE.md governance.......... 10/10
  [OK]  Claude settings safety........ 8/8
  [OK]  Cross-config coherence........ 14/14
  [OK]  Credential storage hygiene.... 6/6
  [N/A] Deep source secrets........... N/A
  [OK]  Docker security............... 6/6
  [OK]  Secret exposure............... 8/8
  [OK]  Git hooks..................... 2/2
  [OK]  Infrastructure security....... 5/6
  [ADV] Instruction effectiveness..... advisory
  [X]   MCP server configuration...... 0/14
  [OK]  Permissions hygiene........... 4/4
  [N/A] Site security................. N/A
  [OK]  Skill file safety............. 10/10
  [OK]  Unicode steganography......... 4/4
  [N/A] Windows/WSL security.......... N/A
  [ADV] Skill <-> governance coherence advisory
  [ADV] Workflow maturity............. advisory
  [N/A] Network exposure.............. N/A

  +----------------------------------------+
  |                                        |
  |         HYGIENE SCORE: 78/100          |
  |         Grade: B                       |
  |         Risk: Standard                 |
  |                                        |
  +----------------------------------------+

  CRITICAL (1)
  [X] MCP server "filesystem" has broad filesystem access: /
      -> Scope filesystem access to your project directory only.

Why this exists

Rules in a CLAUDE.md file don’t enforce themselves. Under load, the model rationalizes around them. rigscore scans for the pieces underneath — mount points, hooks, package pinning, config coherence — that hold up whether the model is paying attention or not.

A single hygiene score, a cross-config coherence pass that checks governance claims against actual configuration, and a CI-gate exit code. Fully offline by default. --online is opt-in for site probes and MCP supply-chain verification.

Meant to run before you adopt an enterprise scanner. If your CLAUDE.md says “never access /etc” and your MCP config mounts /, rigscore tells you.

What it checks

Weights are the single source of truth in src/constants.js. Per-check documentation lives in the rigscore repo under docs/checks/<id>.md.

Scored checks (13 · 100 points)

Moat-heavy: AI-specific checks (MCP, coherence, skill files, CLAUDE.md) account for 48 of the 100 points. The remaining 52 cover secrets, container isolation, infrastructure, and hygiene.

Advisory checks (7 · zero weight)

Scoring

• CRITICAL findings zero out their sub-check entirely.
• WARNING findings deduct 15 points each (1 = 85, 2 = 70, 3 = 55).
• INFO findings deduct 2 points each, with a floor of 50 when no WARNINGs are present.
• PASS and SKIPPED have no score impact.

Compound risk penalty: when coherence finds a CRITICAL contradiction, an additional 10 points are deducted from the overall score — reflecting the systemic nature of governance failures.

Coverage scaling: checks that find nothing to scan are marked N/A and excluded from the weighted average — their weight is redistributed across applicable checks. If total applicable weight falls below 50 out of 100, the overall score is additionally scaled by W / 100. Partial coverage means partial confidence.

Limitations

rigscore is a configuration presence checker, not a security enforcement tool. Read this before you rely on the score as a governance quality signal.

• Semantic reversal bypasses keyword checks. The governance checks (CLAUDE.md + coherence, 24 of the 100 scoring points) verify that your governance file mentions concepts like “path restrictions” and “forbidden actions.” A CLAUDE.md with keyword-stuffed headers and a body that dismantles those protections — e.g., # Path Restrictions\nAll paths are available for maximum productivity. — passes the keyword check. See test/keyword-gaming.test.js in the repo for the committed list of known bypasses.
• Injection detection is pattern-based. The patterns catch common prompt injection attempts with Unicode normalization. Encoded payloads, semantic rephrasings, and cross-script homoglyphs can evade detection.
• Config-shape pinning only, not runtime tool descriptions. rigscore hashes the configured shape of each MCP server — {command, args, envKeys} — and warns when it changes between scans (CVE-2025-54136 / MCPoison class). It does not hash the tool descriptions a running MCP server advertises; that would require invoking the server. rigscore ships a print-and-paste mcp-hash / mcp-pin / mcp-verify workflow for runtime pinning without executing the server.
• Secret scanning covers named config files in the project root. Use --deep for recursive source scanning. Use gitleaks or trufflehog for git history.
• Point-in-time snapshots only. No continuous monitoring, no git history scanning.
• Score is shape-dependent. Overall score reflects only the checks applicable to your project shape. An npm package will legitimately see 9–10 of 19 checks as N/A (no MCP config, no Dockerfile, no .claude/skills/) and score accordingly. See Dogfooding below.

Dogfooding

rigscore runs on rigscore in CI.

• Self-score: 35/100 (Grade F). The real score, not a vanity baseline. rigscore is an npm package; 10 of 19 checks return N/A. The score is scaled down proportionally when applicable coverage is below 50%. Intended behavior.
• CI threshold: --fail-under 30. Calibrated to the observed baseline with a 5-point regression buffer. The public default is 70; the gap reflects project-shape reality, not a permissive gate.
• .rigscorerc.json disables three checks (infrastructure-security, skill-coherence, workflow-maturity) that require workspace-oriented artifacts rigscore doesn’t ship.

CI integration

GitHub Actions

1- uses: Back-Road-Creative/rigscore@main
2  with:
3    fail-under: 70
4    upload-sarif: true

Or run directly without the action:

- run: npx github:Back-Road-Creative/rigscore --ci --fail-under 70

Pin to a released tag (e.g. @v0.8.0) for reproducible CI when one is available.

SARIF

rigscore emits SARIF v2.1.0 compatible with GitHub Advanced Security. Run npx github:Back-Road-Creative/rigscore --sarif > results.sarif and upload via github/codeql-action/upload-sarif.

How rigscore compares

rigscore is not the only AI-agent config scanner. Real alternatives exist.

Where rigscore differs from Snyk: the cross-config coherence check. Single-score CI gate with --fail-under N. Fully local by default.

Where Snyk is ahead: runtime tool-description pinning, broader risk-category coverage, published threat models.

Where Semgrep is a better fit: you want to scan your application source for vulnerabilities, not validate your AI-agent configuration. rigscore does not replace Semgrep — it runs upstream of it.

Source and releases

• GitHub: github.com/Back-Road-Creative/rigscore
• Releases: /releases/
• Install: npx github:Back-Road-Creative/rigscore
• License: MIT