rigscore v0.2.0
- #rigscore
- #security
- #ai
- #devtools
- #mcp
- #open-source
Installing today? This is a historical release note.
npx rigscorenow resolves to the deprecated npm package (0.4.1) — install the current release withnpx github:Back-Road-Creative/rigscore(see the docs).
Changes: v0.1.0 → v0.2.0
Three additions. The check count goes from 6 to 9 — new coherence, deep-secrets, and permissions-hygiene checks — and the depth increases significantly.
Features
- Cross-config coherence — compares governance claims against actual configuration, flags contradictions
- Deep source secrets — recursive scanning with 34 secret patterns via
--deep - MCP supply chain — version pinning checks and typosquatting detection for MCP server packages
Coherence checking
This is the check that makes rigscore different from generic secret scanners. A CLAUDE.md file might say “no shell access” while the MCP config grants a shell server full filesystem access. A governance file might claim “all secrets encrypted” while .env files sit unprotected.
The coherence check reads your governance claims and cross-references them against your actual configuration. When they contradict, rigscore flags it and applies a compound risk penalty to the overall score.
Configurations that are honestly insecure score better than configurations that lie about their security posture.
Deep source scanning
The --deep flag enables recursive source file scanning across 34 secret patterns — AWS keys, GitHub tokens, database connection strings, private keys, Slack webhooks, and more. Without --deep, rigscore only checks common config file locations.
1npx rigscore --deep
MCP supply chain
MCP servers are npm packages that your AI agent loads and executes. rigscore now checks whether those packages use pinned versions (not latest or *) and scans package names for typosquatting patterns against known legitimate MCP servers.