rigscore v1.0.0
- #rigscore
- #security
- #ai
- #devtools
- #open-source
- #v1
Changes: v0.9.0 → v1.0.0
First tagged 1.x release — a packaging, quality, and distribution milestone. Stabilises the finding API, extends profiles, draws a clean line in the changelog.
Added
| Change | What it does |
|---|---|
Scoring profiles (home, monorepo) | Picks the right weights for skill-library homes vs. polyrepos. --profile CLI flag + .rigscorerc.json key; precedence CLI > project > ~/.rigscorerc.json > default. |
| Baseline / diff mode | --baseline <path> reports only findings new since the baseline. rigscore diff <baseline> <current> emits JSON for CI gating. |
| Suppress semantics — glob + regex | skill-files:drive-resume/*, re:/.*sudo.*/ alongside the existing substring form. Backwards compatible. |
skillFiles.allowlist | Per-skill + per-pattern allowlist so legitimate operator-skill sudo usage isn’t flagged. Keyed by skill directory and pattern id. |
instructionEffectiveness.crossRepoRefs | Config key for glob-allowlisting known-good cross-repo path references. |
Per-finding evidence field | Every finding now carries a ≤120-char snippet of the offending content. Reporter renders it when present. |
| Fixture-dogfood suite | test/fixtures/scored-project/ with 42 intentional findings across 12+ checks, plus an assertion suite that locks the expected score range. |
rigscore init / rigscore explain <findingId> | New subcommands. init --example scaffolds a demo project with intentional issues. |
| Docker image | ghcr.io/back-road-creative/rigscore:<tag> published on v*.*.* tag push. |
CHANGELOG.md | First entry. |
Changed
| Change | What it does |
|---|---|
| SARIF ruleIds — per-finding | <checkId>/<findingId> instead of check-level. Improves finding dedup and cross-run tracking in GitHub Advanced Security. |
Fix matcher — findingId-based | Title-substring matching is a deprecated fallback with a console warning. Plugin fixes no longer silently break on title rewrites. |
| Coverage scaling — weight-0 advisories excluded | Adding new advisories can no longer drag the score down. |
instruction-effectiveness false-positive cut | File-line-range suffixes stripped before path-existence checks; cross-repo refs allowlist-aware. /home/joe dead-ref count dropped from 143 → 12. |
Distribution
- npm publish remains off by design. Distribution is GitHub-only via
npx github:Back-Road-Creative/rigscore. See the repo README “Distribution” section for the rationale. - Cross-platform CI matrix deferred pending
--jsontruncation investigation on macOS runners. Ubuntu-only for v1.0.0.
Install
1npx github:Back-Road-Creative/rigscore
No accounts, no telemetry, no network calls. MIT licensed.