rigscore

March 16, 2026 security, ai, cli, open-source, devtools

A security score for your AI development environment

One command. 7 checks. A score out of 100. Know where you stand before something breaks.

1
npx rigscore

  ╭────────────────────────────────────────╮
  │                                        │
  │        rigscore v0.1.0                 │
  │   AI Dev Environment Security Scan     │
  │                                        │
  ╰────────────────────────────────────────╯

  Scanning /home/user/my-project ...

  ✗ CLAUDE.md governance.......... 0/20
  ✓ MCP server configuration...... 15/15
  ✓ Secret exposure............... 20/20
  ✓ Docker security............... 15/15
  ✗ Git hooks..................... 5/10
  ✓ Skill file safety............. 10/10
  ✓ Permissions hygiene........... 10/10

  ╭────────────────────────────────────────╮
  │                                        │
  │         YOUR RIGSCORE: 75/100          │
  │         Grade: B                       │
  │                                        │
  ╰────────────────────────────────────────╯

Why this exists

AI coding tools are powerful. Claude Code, Cursor, Windsurf, and autonomous agents can read your filesystem, execute commands, call APIs, and modify your codebase. Most developers set them up fast and never audit the security posture.

rigscore checks the things that matter:

Does your AI agent have governance rules, or is it operating without boundaries?
Are your MCP servers scoped to project directories, or can they access your entire filesystem?
Are your API keys in .gitignore, or one commit away from being public?
Are your containers configured safely, or is the socket exposed?
Do you have commit hooks catching mistakes?
Are your skill files clean, or could they contain injection payloads?
Are file permissions locked down?

Run it. See the score. Fix what’s broken.

What it checks

Check	Points	What it scans
CLAUDE.md governance	20	Governance file existence, forbidden actions, approval gates, access restrictions
MCP server config	15	Transport type, wildcard env passthrough, filesystem scope, version pinning
Secret exposure	20	`.env` in `.gitignore`, API key patterns in configs, file permissions, SOPS
Container security	15	Docker socket mounts, privileged mode, host paths, missing user/cap_drop
Git hooks	10	Pre-commit hooks, Claude Code hooks, push URL guards
Skill file safety	10	Injection patterns, shell execution, external URLs, encoded content
Permissions hygiene	10	SSH directory/key permissions, world-readable sensitive files

Supports all major AI coding clients: Claude Code, Cursor, Windsurf, Cline, Continue, Copilot, Aider, and AGENTS.md.

Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Scan current directory
npx rigscore

# Scan a specific project
npx rigscore /path/to/project

# JSON output for CI
npx rigscore --json

# Monorepo recursive scan
npx rigscore . --recursive --depth 2

# Run a single check
npx rigscore --check docker-security

# Generate a README badge
npx rigscore --badge

Scoring

Score	Grade	Meaning
90-100	A	Strong security posture
75-89	B	Good foundation, some gaps
60-74	C	Moderate risk, needs attention
40-59	D	Significant gaps
0-39	F	Critical issues, fix immediately

Each CRITICAL finding zeroes out its sub-check. Each WARNING reduces it by 50%.

Privacy

Runs entirely on your local machine. No data collected, transmitted, or stored. No API calls. No telemetry. No accounts.

Source

MIT licensed. Issues and PRs welcome at github.com/backroadcreative/rigscore.

← Back to Journal