~ / headless_mode /
$ docs $ releases $ github $ about
$ AI agent governance, security tooling, and mechanical enforcement.

rigscore v0.8.0

rigscore, security, ai, devtools, open-source

Changes: v0.7.2 → v0.8.0

Two new checks, a distribution model change, and release automation fixes.

ChangeWhat it does
infrastructure-security checkScans Terraform, Pulumi, and raw cloud config for public-by-default resources, missing encryption, and overly-permissive IAM
site-security checkScans static-site configs (Hugo, Jekyll, Next.js) for exposed build artifacts, secrets in public/, and source-map leaks
Drop npm distributionSingle channel — npx github:Back-Road-Creative/rigscore. No npm account required, fewer supply-chain surfaces
Release workflow consolidationOne release.yml drives tag, GitHub release, headlessmode journal post, and tool-page sync
workflow_dispatch on releaseManual re-trigger now possible when a release run fails mid-flight

Infrastructure-security check

rigscore started as an AI-dev hygiene tool — governance files, skill files, MCP configs. v0.8.0 extends the hygiene model to the infrastructure that hosts those agents. The new infrastructure-security check scans for the most common same-day misconfigurations:

  • Public S3 buckets, GCS buckets, and Azure storage accounts declared without private-access flags
  • RDS / Cloud SQL / Azure DB instances without encryption-at-rest
  • IAM policies that grant * on * to non-root principals
  • Terraform state files committed to the repo (a classic secret-leak vector)

The check is weighted 6 points — same as docker-security — and slots into the hygiene side of the scoring model.

Site-security check

Static sites are a surprisingly rich leak surface. Build tools routinely copy everything in content/ or pages/ into public/ — including the .env that was sitting in the repo root, the source maps that leak your TypeScript, and the draft pages with unreleased announcements. The new site-security check looks at the common static-site frameworks and flags:

  • .env* files inside public/, static/, dist/, or build/
  • Source-map files (*.map) shipped to production
  • Draft content without a draft: true flag that still ships on build
  • config.toml / _config.yml with buildDrafts = true or equivalent
  • Known analytics or admin keys embedded in client-visible config

Like infrastructure-security, this slots into the hygiene side at 6 points.

npm dropped — GitHub only

rigscore was briefly published to npm. It isn’t anymore. The distribution surface is now a single path:

1

npx github:Back-Road-Creative/rigscore

Two reasons. First, the npm account adds a supply-chain surface (2FA reset attacks, account takeovers) that a scoring tool built to warn you about supply-chain attacks shouldn’t introduce. Second, the github: protocol pins to a tag or branch — users can audit exactly what they’re running without an opaque registry indirection.

The npm install -g rigscore path is gone. No migration: change rigscore to npx github:Back-Road-Creative/rigscore in your CI and local shell.

Release plumbing

The v0.8.0 release cycle exposed a handful of CI gaps. Three fixes landed:

  • release.yml consolidated from two overlapping workflows into one
  • workflow_dispatch added so a failed release can be re-run manually without retagging
  • Git log sourcing for the auto-generated headlessmode journal post fixed — previous releases published with empty commit tables

Run it

1

npx github:Back-Road-Creative/rigscore

No accounts, no telemetry, no network calls. MIT licensed.

github.com/Back-Road-Creative/rigscore

← Back to Home