rigscore v0.2.0
Changes: v0.1.0 â v0.2.0
Three additions. The check count stays at 8 but the depth increases significantly.
| Feature | What it does |
|---|---|
| Cross-config coherence | Compares governance claims against actual configuration â flags contradictions |
| Deep source secrets | Recursive scanning with 34 secret patterns via --deep |
| MCP supply chain | Version pinning checks and typosquatting detection for MCP server packages |
Coherence checking
This is the check that makes rigscore different from generic secret scanners. A CLAUDE.md file might say “no shell access” while the MCP config grants a shell server full filesystem access. A governance file might claim “all secrets encrypted” while .env files sit unprotected.
The coherence check reads your governance claims and cross-references them against your actual configuration. When they contradict, rigscore flags it and applies a compound risk penalty to the overall score.
Configurations that are honestly insecure score better than configurations that lie about their security posture.
Deep source scanning
The --deep flag enables recursive source file scanning across 34 secret patterns â AWS keys, GitHub tokens, database connection strings, private keys, Slack webhooks, and more. Without --deep, rigscore only checks common config file locations.
| |
MCP supply chain
MCP servers are npm packages that your AI agent loads and executes. rigscore now checks whether those packages use pinned versions (not latest or *) and scans package names for typosquatting patterns against known legitimate MCP servers.
Install
| |
MIT licensed. github.com/Back-Road-Creative/rigscore
Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.