rigscore
A hygiene score for your AI development environment
One command. 14 checks. A score out of 100. Know where you stand before something breaks.
| |
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ rigscore v0.7.2 โ
โ AI Dev Environment Hygiene Check โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Scanning /home/user/my-project ...
โ MCP server configuration...... 0/16
โ Cross-config coherence........ 16/16
โ Skill file safety............. 10/10
โ CLAUDE.md governance.......... 10/10
โ Claude settings safety........ 8/8
โ Deep source secrets........... N/A
โ Secret exposure............... 8/8
โ Credential storage............ 6/6
โ Docker security............... 6/6
โ Unicode steganography......... 4/4
โ Git hooks..................... 2/4
โ Permissions hygiene........... 4/4
~ Windows/WSL security.......... advisory
~ Network exposure.............. advisory
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ HYGIENE SCORE: 74/100 โ
โ Grade: C โ
โ Risk: Standard โ
โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Why this exists
AI coding tools are powerful. Claude Code, Cursor, Windsurf, and autonomous agents can read your filesystem, execute commands, call APIs, and modify your codebase. Most developers set them up fast and never audit the configuration hygiene.
rigscore checks the things that matter:
- Does your AI agent have governance rules, or is it operating without boundaries?
- Are your MCP servers scoped to project directories, or can they access your entire filesystem?
- Are your API keys in
.gitignore, or one commit away from being public? - Are your containers configured safely, or is the socket exposed?
- Do you have commit hooks catching mistakes?
- Are your skill files clean, or could they contain injection payloads?
- Are file permissions locked down?
- Do your governance claims match your actual configuration?
- Are there hardcoded secrets buried in your source code?
- Is your Windows/WSL boundary more porous than you think?
- Do your Claude settings expose dangerous permissions or bypass combos?
- Are credentials stored correctly, or are they leaking into the wrong places?
- Are there hidden characters in your skill files that could redirect agent behavior?
Run it. See the score. Fix what’s broken.
What it checks
| Check | Points | What it scans |
|---|---|---|
| MCP server configuration | 16 | Transport type, wildcard env passthrough, filesystem scope, version pinning, cross-client drift, typosquatting |
| Cross-config coherence | 16 | Governance claims vs. actual config, compound risk detection, undeclared MCP capabilities, settings/governance contradictions |
| Skill file safety | 10 | Injection patterns, shell execution, external URLs, encoded content |
| CLAUDE.md governance | 10 | Governance file existence, forbidden actions, approval gates, multi-line injection detection, negation handling |
| Claude settings safety | 8 | enableAllProjectMcpServers, skip-permissions, hook script execution, bypass combos, dangerous allow-lists |
| Deep source secrets | 8 | Recursive source file scanning for 34 secret patterns (--deep) |
| Secret exposure | 8 | .env in .gitignore, API key patterns in configs, file permissions, SOPS |
| Credential storage hygiene | 6 | Credentials stored outside env vars and secret managers |
| Docker security | 6 | Docker socket mounts, privileged mode, host paths, missing user/cap_drop, K8s |
| Unicode steganography detection | 4 | Hidden chars in skill files: Greek/Armenian/Georgian lookalikes, zero-width chars, bidi overrides |
| Git hooks | 4 | Pre-commit hooks, Claude Code hooks, push URL guards |
| Permissions hygiene | 4 | SSH directory/key permissions, world-readable sensitive files |
| Windows/WSL security | advisory | WSL interop settings, Windows PATH injection, mount permissions, defender exclusions |
| Network exposure | advisory | AI service bind addresses, MCP SSE hosts, Docker port mappings, live listener scan |
Supports all major AI coding clients: Claude Code, Cursor, Windsurf, Cline, Continue, Copilot, Aider, Zed, Amp, and AGENTS.md.
New in v0.7
CLAUDE.md hardening
Multi-line injection detection now catches prompt injection patterns that split tokens across lines โ a bypass technique that single-line scanning misses. Negation handling upgraded to CRITICAL: governance rules lacking negation context (“never”, “don’t”, “without”) now escalate from WARNING to CRITICAL. A governance file that says “execute commands” without “never execute commands” is a real finding.
Three new governance quality checks: TDD/Pipeline Lock rules, Definition of Done enforcement, git workflow rules. Missing any of these in your governance file now counts against your score.
Claude settings: bypass combo detection
The claude-settings check now detects combinations of settings that together eliminate security gates โ pairing enableAllProjectMcpServers with hooks that grant broad filesystem access, or combining skip-permissions with allow-lists that permit arbitrary operations. Individual settings may be acceptable; certain combinations are not.
Coherence: settings vs. governance alignment
The coherence check now cross-references settings.json against CLAUDE.md. If your governance file requires approval gates for destructive operations but your settings disable them, that contradiction is now a finding.
New in v0.6
Three new checks
Claude settings safety (claude-settings) scans .claude/settings.json for configurations that expand attack surface: enableAllProjectMcpServers, hooks that shell out to arbitrary commands, and skip-permissions mode.
Credential storage hygiene (credential-storage) checks where credentials actually live โ env vars in the right files, committed secrets in the wrong ones. Broader pattern coverage than the existing secret exposure check.
Unicode steganography detection (unicode-steganography) checks skill files and CLAUDE.md for hidden characters: Greek lookalikes that render identically to Latin letters, zero-width joiners, bidirectional control characters. Covers the attack surface from the ToxicSkills and Rules File Backdoor incidents.
Finding IDs and suppression
Every finding carries a stable ID in the format checkId/slugified-title. Suppress findings you’ve accepted:
| |
Or in .rigscore.json:
| |
OWASP Agentic Top 10 mapping
Every finding is tagged to the OWASP Agentic Top 10 (2026) โ ASI01 through ASI10. Tags appear in JSON and SARIF output.
CVE-specific detection
Compound detection patterns for CVE-2025-59536 (Claude Code path traversal), CVE-2026-21852 (MCP SSRF via redirect chain), and CVE-2025-54136 (prompt injection via Unicode bidi override).
New in v0.5
Network exposure check
Advisory check that detects AI services (Ollama, LM Studio, Open WebUI, MCP SSE servers, OpenClaw, LiteLLM, LocalAI, vLLM, FastChat) bound to 0.0.0.0 instead of 127.0.0.1. Scans four layers:
- MCP config URLs โ flags SSE/streamable-http endpoints targeting non-loopback hosts (CRITICAL)
- Docker port bindings โ flags AI service ports mapped without explicit
127.0.0.1:bind (WARNING) - Ollama config โ checks systemd overrides and
.ollama/.envforOLLAMA_HOST=0.0.0.0(WARNING) - Live listeners โ runs
ssorlsofto detect AI ports currently listening on all interfaces (WARNING)
Ships as advisory (weight: 0, no score impact). Respects config.network.safeHosts for custom allowlisting.
New in v0.4.0
Watch mode
Re-scans on file changes, reports score deltas.
| |
Windows/WSL security check
Advisory check for WSL2 environments โ flags interop exposure, Windows PATH injection, permissive mount defaults, and Defender exclusion gaps. Does not affect numeric score.
Plugin system
Custom checks via npm packages named rigscore-check-*:
| |
Git hook install
| |
Usage
| |
Scoring
| Score | Grade | Meaning |
|---|---|---|
| 90-100 | A | Strong hygiene posture |
| 75-89 | B | Good foundation, some gaps |
| 60-74 | C | Moderate risk, needs attention |
| 40-59 | D | Significant gaps |
| 0-39 | F | Critical issues, fix immediately |
Uses moat-heavy weighting โ AI-specific checks account for ~60% of the score. Each CRITICAL finding zeroes out its sub-check. Each WARNING deducts 15 points. INFO findings deduct 2 points each, with a floor of 50 when no WARNINGs are present.
Compound risk penalty: When the coherence check finds contradictions between governance claims and actual configuration, additional points are deducted from the overall score.
CI Integration
GitHub Action
| |
SARIF Output
| |
Auto-fix
| |
Privacy
Runs entirely on your local machine. No data collected, transmitted, or stored. No API calls. No telemetry. No accounts.
Source
MIT licensed. Issues and PRs welcome at github.com/Back-Road-Creative/rigscore.