$ AI agent governance, security tooling, and mechanical enforcement.

rigscore command reference

  • #rigscore
  • #cli
  • #reference
  • #devtools

Companion to the rigscore docs. Scoring, compliance mapping, and CI gates live there; this page covers the working-session commands and packaging.


Auto-fix and starter packs

--fix identifies safe, reversible remediations — and offers the starter packs that target your red checks. Consent is layered: dry run by default, --yes unlocks file-level edits to files you already have, --install-packs additionally allows scaffolding new files:

1npx github:Back-Road-Creative/rigscore --fix                        # dry run: lists auto-fixes AND installable packs, writes nothing
2npx github:Back-Road-Creative/rigscore --fix --yes                  # applies auto-fixes; packs are offered, not installed
3npx github:Back-Road-Creative/rigscore --fix --yes --install-packs  # also installs the packs targeting your red checks

--fix never rewrites governance content, and a pack install never overwrites an existing file — it is reported skipped (exists) and left byte-for-byte alone. To install one specific pack, or overwrite deliberately:

1npx github:Back-Road-Creative/rigscore init --list-packs             # what ships, and which checks each pack targets
2npx github:Back-Road-Creative/rigscore init --<pack> [dir] [--force] # install one pack directly

Recursive / monorepo mode

--recursive discovers project subdirectories (any recognizable marker file: package.json, pyproject.toml, Dockerfile, CLAUDE.md, …) and scans each independently, four at a time. The overall score is the average across discovered projects; each project’s own .rigscorerc.json is honored.

1npx github:Back-Road-Creative/rigscore . --recursive
2npx github:Back-Road-Creative/rigscore . -r --depth 2   # two levels, e.g. workspace/_active/svc-foo

Suppressing findings

Mute a finding by its stable ID — exact match, case-insensitive — via the flag or .rigscorerc.json:

1npx github:Back-Road-Creative/rigscore --ignore "env-exposure/env-not-gitignored,skill-files/shell-exec"
1{ "suppress": ["env-exposure/env-not-gitignored"] }

Suppression is never silent: the terminal report, JSON (suppressed: { count, ids }), and SARIF all disclose how many findings were muted and which. IDs follow <check-id>/<slug>, are stable within a major version, and a bare <check-id> mutes a whole check. Full catalog: docs/FINDING_IDS.md.


CycloneDX AI-BOM export

--cyclonedx prints a CycloneDX 1.6 BOM of the AI components a scan discovers: every repo-level MCP server as a component (with version + purl when the package is stably pinned), AI client configs and governance files with SHA-256 content digests, and a dependency graph. AI facts (transport, launch command, declared env-var names, config-shape hash) ride on properties rows.

1npx github:Back-Road-Creative/rigscore --cyclonedx . > ai-bom.json

Repo-scoped on purpose — home-dir client configs never land in a shippable BOM. Not combinable with --recursive.


Docker image

Every v*.*.* release tag publishes an image to GHCR. It runs as a non-root user and scans /workspace by default:

1docker run --rm -v "$PWD:/workspace" ghcr.io/back-road-creative/rigscore:<tag>

Explain a finding

rigscore explain <findingId> prints the docs page for the check behind a finding, jumping to the finding-specific section when one exists:

1npx github:Back-Road-Creative/rigscore explain skill-files/indirect-injection

Watch mode

--watch re-runs rigscore when relevant files change — governance files, MCP configs, .env, Docker Compose files, git hooks, .rigscorerc.json — debounced at 500ms:

1npx github:Back-Road-Creative/rigscore --watch

Plugins

rigscore auto-discovers rigscore-check-* packages (scoped @org/rigscore-check-* too) from node_modules and runs them as extra checks — no core changes needed. Plugins default to weight 0 (advisory); give one scoring weight via .rigscorerc.json:

1{ "weights": { "my-custom": 5 } }

An invalid plugin warns to stderr and is skipped — it never crashes the scan.


More flags

FlagWhat it does
--badgeGenerate a markdown score badge for your README
--check <id>Run a single check; an N/A check reports n/a and exits 0, not a red 0/100
--include-home-skillsAlso scan ~/.claude/skills and ~/.claude/commands (default: project scope only)
--init-hookInstall a pre-commit hook that runs rigscore with --fail-under 70 before each commit
--refresh-mcp-registryForce refetch of the MCP registry cache (implies --online, bypasses the 24h TTL)