rigscore v0.3.0
Changes: v0.2.0 â v0.3.0
The scoring model changes and rigscore becomes CI-ready.
| Feature | What it does |
|---|---|
| Moat-heavy scoring | AI-specific checks (MCP, coherence, skills, governance) = 60% of score |
| SARIF v2.1.0 output | Integration with GitHub Advanced Security, CodeQL, and security dashboards |
| CI mode | --ci --fail-under 80 for pipeline gates |
| Auto-fix | --fix --yes for safe, reversible remediations |
| Recursive scanning | --recursive --depth N for monorepos |
| Badge generation | --badge for README shields |
Moat-heavy scoring
The original scoring weighted all checks roughly equally. That didn’t reflect reality â an exposed MCP server with filesystem access is a fundamentally different risk than a missing pre-commit hook.
v0.3.0 reweights so that AI-specific checks carry the majority of the score:
| Check | Points |
|---|---|
| MCP server configuration | 18 |
| Cross-config coherence | 18 |
| Skill file safety | 12 |
| CLAUDE.md governance | 12 |
| Deep source secrets | 10 |
| Secret exposure | 10 |
| Container security | 8 |
| Git hooks | 6 |
| Permissions hygiene | 6 |
60 of 100 points come from checks that don’t exist in other security tools. That’s the moat â rigscore scores what matters for AI development environments specifically.
SARIF and CI mode
SARIF output integrates with GitHub Advanced Security so findings show up in the Security tab alongside CodeQL results.
| |
Auto-fix and recursive scanning
--fix identifies safe remediations â adding .env to .gitignore, fixing SSH key permissions â and applies them. --recursive scans monorepo subdirectories and reports per-project scores.
| |
Install
| |
MIT licensed. github.com/Back-Road-Creative/rigscore
Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.