rigscore v0.8.0
- #rigscore
- #security
- #ai
- #devtools
- #open-source
Changes: v0.7.2 → v0.8.0
Two new checks, a distribution model change, and release automation fixes.
Features
infrastructure-securitycheck — verifies host-level defenses: root-owned git hooks, git safety wrapper, shell safety guard, immutable config dirs, settings deny-list, sandbox gatesite-securitycheck — probes deployed sites over live HTTP (opt-in via--online): security headers, exposed sensitive paths, TLS certificate expiry- Single-channel distribution — install via
npx github:Back-Road-Creative/rigscore; npm dropped, fewer supply-chain surfaces
Fixes
- Release workflow consolidation — one
release.ymldrives tag, GitHub release, headlessmode journal post, and tool-page sync workflow_dispatchon release — manual re-trigger now possible when a release run fails mid-flight
Infrastructure-security check
rigscore started as an AI-dev hygiene tool — governance files, skill files, MCP configs. v0.8.0 extends the hygiene model to the host that runs those agents. The new infrastructure-security check (Linux-only) verifies that the machine’s defensive layers are actually in place:
- Root-owned global git hooks (
pre-commit,pre-push,commit-msgin/opt/git-hooks) plus a root-owned git safety wrapper - A shell safety guard (
/etc/profile.d/safety-gates.sh) that blocks dangerous patterns likechmod 777 chattr +iimmutability on configured protected directories- A
settings.jsondeny-list covering destructive commands (git push --force,git reset --hard,rm -rf, direct pushes to main/master) - A sandbox gate registered as a PreToolUse hook for Write/Edit/Bash protection
The check is weighted 6 points — same as docker-security — and slots into the hygiene side of the scoring model.
Site-security check
Deployed sites are a surprisingly rich leak surface. The new site-security check probes your live sites over HTTP — it only runs when you opt in with --online; without the flag it’s skipped entirely. For each configured site it checks:
- Security headers — missing
Content-Security-Policy,X-Frame-Options,X-Content-Type-Options, orStrict-Transport-Securityis a critical finding;Referrer-PolicyandPermissions-Policyare advisory - Exposed sensitive paths — probes for reachable
.env*files,.git/config, backup archives and SQL dumps, admin panels, and server-status pages - TLS certificate expiry
- Secret patterns (API keys, tokens) in served JavaScript
Unlike infrastructure-security, this check is advisory — weight 0, no score impact.
npm dropped — GitHub only
rigscore was briefly published to npm. It isn’t anymore. The distribution surface is now a single path:
1npx github:Back-Road-Creative/rigscore
Two reasons. First, the npm account adds a supply-chain surface (2FA reset attacks, account takeovers) that a scoring tool built to warn you about supply-chain attacks shouldn’t introduce. Second, the github: protocol pins to a tag or branch — users can audit exactly what they’re running without an opaque registry indirection.
The npm install -g rigscore path is gone. No migration: change rigscore to npx github:Back-Road-Creative/rigscore in your CI and local shell.
Release plumbing
The v0.8.0 release cycle exposed a handful of CI gaps. Three fixes landed:
release.ymlconsolidated from two overlapping workflows into oneworkflow_dispatchadded so a failed release can be re-run manually without retagging- Git log sourcing for the auto-generated headlessmode journal post fixed — previous releases published with empty commit tables