rigscore v0.6.3

March 28, 2026 rigscore, security, ai, devtools, open-source

Changes: v0.5.0 → v0.6.3

Three new checks. Thirteen total. Deeper detection across the board.

Change	What it does
Claude settings check	Detects dangerous hook configs, `enableAllProjectMcpServers`, and `skip-permissions`
Credential storage check	Scans for credentials stored outside of env vars and secret managers
Unicode steganography check	Detects hidden text in skill files using Greek/Armenian/Georgian lookalikes, zero-width chars, and bidi overrides
OWASP Agentic Top 10 mapping	Every finding tagged to ASI01–ASI10 taxonomy
CVE-specific patterns	Detection patterns tied to CVE-2025-59536, CVE-2026-21852, CVE-2025-54136
Finding IDs	Stable `checkId/slugified-title` identifiers for suppression workflows
`--ignore` flag	Suppress findings by title pattern at the CLI or via config
Shell history scanning	Checks `~/.bash_history` and `~/.zsh_history` for leaked secrets
SARIF physical locations	File paths extracted from findings for IDE integration
Fixer self-registration	Check modules own their fixers — no central registry
Weight rebalancing	Scoring recalibrated for 13-check distribution

Three new checks

Claude settings (claude-settings) scans .claude/settings.json for configurations that expand attack surface. The dangerous ones: enableAllProjectMcpServers (loads MCP servers from any project without review), hooks that shell out to arbitrary commands, and skip-permissions mode. These settings exist for legitimate reasons — rigscore flags them as advisory so you’re making a deliberate choice, not an accidental one.

Credential storage (credential-storage) checks where credentials actually live. Env vars in the right files, committed secrets in the wrong ones. This complements the existing secret exposure check with broader pattern coverage.

Unicode steganography (unicode-steganography) checks skill files and CLAUDE.md for hidden characters. Greek lookalikes (α, ο, ρ) that render identically to Latin letters, zero-width joiners, bidirectional control characters — the attack surface from the ToxicSkills and Rules File Backdoor incidents. The check expands on what was already in the skill-files check, now covering Armenian and Georgian scripts and a full bidi override pattern set.

OWASP Agentic Top 10

Every rigscore finding now carries an OWASP Agentic Top 10 (2026) category tag — ASI01 through ASI10. This maps rigscore’s checks to the emerging standard taxonomy for AI agent security:

Category	What rigscore covers
ASI01 Prompt Injection	Skill file injection patterns, CLAUDE.md integrity
ASI02 Excessive Agency	MCP server scope, `enableAllProjectMcpServers`
ASI03 Insecure Output	Governance contradictions, shell restrictions
ASI05 Supply Chain	MCP package pinning, typosquatting
ASI06 Sensitive Data	Secret exposure, credential storage, shell history
ASI08 Misinformation	Coherence contradictions

The tags appear in JSON and SARIF output. If you’re running rigscore in CI and uploading SARIF to GitHub Advanced Security, the category now shows up in the security dashboard.

CVE-specific detection

Three CVEs from late 2025 / early 2026 are now in the pattern set:

CVE-2025-59536 — Claude Code path traversal via malformed tool paths
CVE-2026-21852 — MCP server SSRF via redirect chain in HTTP transport
CVE-2025-54136 — Prompt injection via Unicode bidirectional override in skill files

These are compound patterns — the detector checks for the specific configuration conditions each CVE requires, not just keyword presence.

Finding IDs and suppression

Every finding now has a stable ID in the format checkId/slugified-title — for example, env-exposure/env-file-found-but-not-in-gitignore. These are consistent across runs on the same codebase.

Use them with --ignore to suppress findings you’ve accepted:

1
2
3
4
5
6
7
# Suppress a specific finding by title pattern
npx rigscore --ignore "enableAllProjectMcpServers"

# Or in .rigscore.json
{
  "suppress": ["enableAllProjectMcpServers", "world-readable"]
}

Finding IDs also appear in SARIF output, making them usable as suppression keys in GitHub Advanced Security.

Install

1
npx rigscore

No accounts, no telemetry, no network calls. MIT licensed.

github.com/Back-Road-Creative/rigscore

Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.

← Back to Journal