rigscore
- #hygiene
- #security
- #ai
- #cli
- #open-source
- #devtools
Scope. rigscore measures configuration hygiene, not runtime security: it reads the files on disk — governance docs, MCP configs, Docker settings, skill files, permissions — and scores what they say. Pair it with a runtime scanner and source-level SAST; see known limits and verify rigscore.
Two scores
One local command runs 28 checks — 13 scored plus 15 advisory — and prints two independent 100-point scores, each A–F: Security (hygiene) and Practice. Fully offline: no token, no data leaves the machine.
npx github:Back-Road-Creative/rigscoreRequires Node >= 18.17. --online adds site probes and MCP supply-chain checks.
Sample output
rigscore v2.1.0 [X] MCP server configuration [mechanical] CRITICAL "filesystem" mounts / [OK] Cross-config coherence [keyword] governance matches config [ADV] Semantic tool judge [pattern] advisory — run with --semantic HYGIENE 78/100 (B) · Practice 71/100 (B) Grade: B Each row's [mechanical] / [pattern] / [keyword] tag shows how its points are earned (see the legend below).
Why rigscore
- The only cross-config coherence pass. rigscore reads your governance claims and checks them against your actual configuration, catching contradictions single-surface scanners miss — a
CLAUDE.mdthat forbids/etcwhile the MCP config mounts/, a “no shell” rule sitting next to a shell server with filesystem access. A config that is honestly insecure scores better than one that lies about its posture. - A second axis nobody else scores. Alongside Security, every scan prints a Practice score — does this team drive its agents well? — from loop governance, spec goals, workflow maturity, and sandbox posture. Most scanners grade the config; rigscore also grades the workflow.
- Full power offline, whole surface, one score. Every scored check runs with no token, no account, and no data leaving the machine (
--onlineonly adds optional probes) — and instructions, permissions, MCP, skills, hooks, CI, Docker, and env all fold into one A–F grade and an embeddable badge, not a single-tool silo.
Fix what it finds
rigscore . --fix dry-runs every auto-fixable issue — plus the starter packs that target your red checks — and writes nothing. --fix --yes applies the safe, file-level fixes to files you already have; --fix --yes --install-packs also scaffolds guard packs for the major AI clients wherever a check is red. To install a single pack on its own, run rigscore init --<pack>. The full flag ladder lives in the command reference.
What it checks
Scored checks (13 · 100 points)
| Check | Weight | Category |
|---|---|---|
| Cross-config coherence | 14 | governance |
| MCP server configuration | 14 | supply-chain |
| Governance documentation | 10 | governance |
| Skill file safety | 10 | supply-chain |
| Claude settings safety | 8 | governance |
| Deep source secrets | 8 | secrets |
| Secret exposure | 8 | secrets |
| Credential storage hygiene | 6 | secrets |
| Docker security | 6 | isolation |
| Infrastructure security | 6 | process |
| Permissions hygiene | 4 | process |
| Unicode steganography | 4 | governance |
| Git hooks | 2 | process |
AI-specific checks (MCP, coherence, skill files, governance docs) hold 48 of the 100 points; the rest cover secrets, container isolation, infrastructure, hygiene.
Advisory checks (15 · zero weight)
Advisory checks carry zero Security weight; several score on the Practice axis instead.
| Check | Category | Enforcement |
|---|---|---|
| Agent output schemas | governance | mechanical |
| AI disclosure | governance | keyword |
| CI agent caps | process | pattern |
| Documentation coverage | process | mechanical |
| Instruction effectiveness | governance | keyword |
| Loop governance | process | pattern |
| Memory hygiene | governance | mechanical |
| Network exposure | isolation | mechanical |
| Sandbox posture | isolation | mechanical |
| Semantic tool-description judge | supply-chain | pattern |
| Site security | isolation | mechanical |
| Skill ↔ governance coherence | governance | keyword |
| Spec goals | governance | keyword |
| Windows/WSL security | isolation | mechanical |
| Workflow maturity | governance | keyword |
Scoring
| Score | Grade | Meaning |
|---|---|---|
| 90–100 | A | Strong hygiene posture |
| 75–89 | B | Good foundation, some gaps |
| 60–74 | C | Moderate risk, needs attention |
| 40–59 | D | Significant gaps |
| 0–39 | F | Critical issues, fix immediately |
- CRITICAL zeros out its sub-check; a coherence CRITICAL costs an extra 10 points.
- WARNING deducts 15 each (1 = 85, 2 = 70, 3 = 55); INFO deducts 2 each, floored at 50 with no WARNINGs.
- PASS / SKIPPED: no impact.
Coverage scaling: unscannable checks are marked N/A and their weight redistributed; the score scales by min(1, W / 100) for applicable weight W.
The Practice score
Every scan prints a second 100-point axis. Security asks is this rig safe? Practice asks does this team drive its agents well?
| Practice check | Weight |
|---|---|
| Loop governance | 25 |
| Spec goals | 20 |
| Workflow maturity | 20 |
| Sandbox posture | 15 |
| CI agent caps | 10 |
| Memory hygiene | 5 |
| AI disclosure | 5 |
Practice checks contribute zero to Security. A repo with no practice surface prints Practice: n/a, not an unfair 0/100; --json reports practiceScore (number or null). The cross-config coherence pass and this second axis are what set rigscore apart — see Why rigscore.
Enforcement-grade labels
Each check’s label shows how its points are earned; it is display-only.
[mechanical]— deterministic config inspection, ungameable by wording. 15 of 28.[pattern]— regex/structural scan, evadable only by novel obfuscation. 7 of 28.[keyword]— phrase presence in governance prose, gameable by keyword-stuffing (see known limits). 6 of 28.
Scoring profiles
A profile is a weight map. Five ship built in:
| Profile | Use-case |
|---|---|
default | Balanced AI dev environment audit |
minimal | Smoke test — AI-moat checks only |
ci | CI pipelines (identical to default today) |
home | Single-user dev boxes — infra/docker/windows off |
monorepo | Multi-project repos — hints --recursive --depth 3 |
npx github:Back-Road-Creative/rigscore --profile minimalResolution order: --profile, then project .rigscorerc.json, then ~/.rigscorerc.json, then default. Custom weights: promote an advisory check into the scored lane (non-zero) or demote a scored one (0).
Compliance report
--report compliance groups findings by framework control — deterministic text, diffable in CI or for an auditor:
npx github:Back-Road-Creative/rigscore --report compliance .| Framework | Status | Coverage |
|---|---|---|
| OWASP Top 10 for Agentic Applications 2026 | Final | full |
| OWASP MCP Top 10 | Beta (pilot) | partial |
| NIST AI RMF 1.0 | Final | full |
| EU AI Act — Regulation (EU) 2024/1689 | In force, phased | full |
The table only claims what it can prove: controls with no supporting check print NOT EVIDENCED, and unmapped checks print UNMAPPED. Muted findings (suppress: / --ignore) are disclosed by count and id. Not with --recursive.
Limitations
rigscore is a configuration presence checker, not an enforcement tool. Read this before relying on the score as a governance quality signal.
- Semantic reversal bypasses keyword checks. The governance checks (governance docs + coherence, 24 of the 100 scoring points) only confirm your file mentions concepts like “path restrictions”; stuffed headers over a body that dismantles them still pass. See
test/keyword-gaming.test.jsfor the bypass list. - Injection detection is pattern-based. Unicode-normalized patterns catch common prompt-injection; encoded payloads, rephrasings, and homoglyphs can evade them.
- Config-shape pinning only, not runtime tool descriptions. rigscore hashes each MCP server’s configured shape —
{command, args, envKeys}— and warns on change (CVE-2025-54136 / MCPoison class), but does not hash the tool descriptions a running server advertises. Themcp-hash/mcp-pin/mcp-verifyworkflow pins those operator-side. - Secret scanning covers named config files in the project root. Use
--deepfor recursive source, or a dedicated git-history secret scanner for git history. - Point-in-time snapshots only. No continuous monitoring, no git-history scan.
- Score depends on project shape. rigscore ships 28 checks; an npm package legitimately sees most as N/A. rigscore itself is a package, not an agent workspace — no committed MCP config, no
.claude/skills/, no per-client rule sets — so only a minority apply. See Dogfooding for the exact self-score.
Dogfooding
rigscore runs on rigscore in CI.
- Self-score 37/100 (Grade F). The real score: as an npm package only 10 of its 28 apply (weight 46/100), the rest N/A.
- CI threshold
--fail-under 30. The baseline (37) minus a 7-point buffer; the public default is 70. .rigscorerc.jsondisables four checks (infrastructure-security,skill-coherence,workflow-maturity,agent-output-schemas) needing artifacts rigscore doesn’t ship.
CI integration
GitHub Actions
1- uses: Back-Road-Creative/[email protected]
2 with:
3 fail-under: 70
4 upload-sarif: true
Or run directly:
- run: npx github:Back-Road-Creative/rigscore --ci --fail-under 70Pin to a released tag (the action rejects @main-style refs); tags through v2.1.0 are available.
SARIF
rigscore emits SARIF v2.1.0: npx github:Back-Road-Creative/rigscore --sarif > results.sarif, uploaded via github/codeql-action/upload-sarif.
Baseline gate
Gate on new findings, not an absolute score: the first run writes the baseline; later runs report only findings not in it and exit 1 if any exist:
npx github:Back-Road-Creative/rigscore --baseline .rigscore-baseline.jsonCommit the baseline: the gate reads the HEAD copy, so a deleted or corrupt working-tree baseline fails closed. Refresh with --baseline-refresh.
State file and MCP-shape gate
With a repo-level .mcp.json, a scan writes .rigscore-state.json: a SHA-256 pin of each MCP server’s {command, args, envKeys} shape (env keys only, never values). A changed pin flags a silent swap of a trusted server (the MCPoison class, CVE-2025-54136); an uncommitted pin detects nothing.
npx github:Back-Road-Creative/rigscore --verify-state--verify-state is the read-only CI gate: it reads the pin at HEAD (a fresh pin can’t satisfy it) and exits 1 on drift, 2 if missing or corrupt, 0 if all match. --no-state-write skips the write on a borrowed checkout, flagging the lost coverage.
Runtime tool pinning
The state file above pins each MCP server’s configured shape. The tool descriptions a running server advertises are pinned separately, on demand — rigscore never launches the server itself (that would hand code execution to the thing you distrust), so it uses a print-and-paste workflow:
1npx -y <mcp-server-package> | rigscore mcp-hash | xargs rigscore mcp-pin <server> # pin
2npx -y <mcp-server-package> | rigscore mcp-verify <server> # verify later
rigscore mcp-hash canonicalizes and hashes a tools/list JSON read from stdin; mcp-pin stores it in .rigscore-state.json; mcp-verify re-compares. Verify exits 0 on a match, 3 when nothing is pinned for that server, and 4 on drift — a tool description that silently changed under a trusted server (the CVE-2025-54136 rug-pull class). Each server also gets a zero-weight INFO during a normal scan showing whether its runtime hash is pinned.
Exit codes
| Code | Meaning |
|---|---|
0 | At or above --fail-under (baseline: no new findings) |
1 | Below --fail-under, or new findings vs baseline |
2 | Config error — bad .rigscorerc.json, unknown --profile, or corrupt baseline |
3 | rigscore mcp-verify <server> with no runtime hash pinned |
4 | rigscore mcp-verify <server> drift — the piped tools/list no longer matches the pinned runtime hash |
Source and releases
- GitHub: github.com/Back-Road-Creative/rigscore
- Releases: /releases/
- Reference: /docs/reference/ — auto-fix, packs, monorepo, AI-BOM, watch, plugins
- Supported clients: /docs/clients/ — every governance file, MCP config, sandbox, and skill dir rigscore reads, per client
- Install:
npx github:Back-Road-Creative/rigscore· License: MIT