rigour
mcp
Basarisiz
Health Gecti
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 20 GitHub stars
Code Basarisiz
- child_process — Shell command execution capability in .github/workflows/pipeline.yml
- execSync — Synchronous shell command execution in .github/workflows/pipeline.yml
- rm -rf — Recursive force deletion command in .github/workflows/pipeline.yml
- process.env — Environment variable access in .github/workflows/pipeline.yml
- process.env — Environment variable access in examples/vibe-messy/src/monolith.js
Permissions Gecti
- Permissions — No dangerous permissions requested
Purpose
This MCP server acts as a real-time security and governance guardrail for AI coding agents. It scans repositories to detect hardcoded secrets, code drift, and structural violations, automatically blocking or fixing unsafe AI-generated code.
Security Assessment
The tool does not request dangerous permissions and relies on environment variable access strictly for standard configuration. The automated scan did flag shell command execution (`child_process`, `execSync`) and recursive deletion (`rm -rf`) capabilities. However, these findings are entirely isolated to the CI/CD pipeline file (`.github/workflows/pipeline.yml`), meaning they are used to automate the project's testing infrastructure and pose zero risk to the end user's system. There are no hardcoded secrets in the codebase. Overall risk: Low.
Quality Assessment
The project is highly active, with its most recent code push happening today. It uses the permissive MIT license and claims affiliation with OWASP, indicating a strong focus on standard security practices. While the repository currently has 20 GitHub stars, its low community trust score is typical for a new but rapidly evolving utility. The documentation is highly detailed, offering clear, zero-config setup instructions for multiple IDEs and AI agents.
Verdict
Safe to use.
This MCP server acts as a real-time security and governance guardrail for AI coding agents. It scans repositories to detect hardcoded secrets, code drift, and structural violations, automatically blocking or fixing unsafe AI-generated code.
Security Assessment
The tool does not request dangerous permissions and relies on environment variable access strictly for standard configuration. The automated scan did flag shell command execution (`child_process`, `execSync`) and recursive deletion (`rm -rf`) capabilities. However, these findings are entirely isolated to the CI/CD pipeline file (`.github/workflows/pipeline.yml`), meaning they are used to automate the project's testing infrastructure and pose zero risk to the end user's system. There are no hardcoded secrets in the codebase. Overall risk: Low.
Quality Assessment
The project is highly active, with its most recent code push happening today. It uses the permissive MIT license and claims affiliation with OWASP, indicating a strong focus on standard security practices. While the repository currently has 20 GitHub stars, its low community trust score is typical for a new but rapidly evolving utility. The documentation is highly detailed, offering clear, zero-config setup instructions for multiple IDEs and AI agents.
Verdict
Safe to use.
The immune system for AI coding agents
README.md
Rigour
Your AI agent just tried to commit an AWS secret. Rigour blocked it in <100ms.
Try it now (zero config)
npx rigour-scan
Works on any repo. No init, no config, no setup. Instant results in your terminal:
HARDCODED SECRET DETECTED
AWS_SECRET_ACCESS_KEY found in src/config.ts:23
+ 22 more violations across 847 files (2.1s)
Score ████░░░░░░░░░░░░░░░░ 34/100
AI Health ███░░░░░░░░░░░░░░░░░░ 28/100
Gates: ✅ file-size ❌ security ❌ ast ✅ deps
Brain: learned 12 patterns · trend: improving ↑
Add to your AI IDE (30 seconds)
{ "mcpServers": { "rigour": { "command": "npx", "args": ["-y", "@rigour-labs/mcp"] } } }
| IDE / Agent | MCP Tools | Live Dashboard | Real-Time Feed |
|---|---|---|---|
| Claude Desktop | ✅ | ✅ MCP App | ✅ Logging |
| VS Code Copilot | ✅ | ✅ MCP App | ✅ Logging |
| ChatGPT | ✅ | ✅ MCP App | ✅ Logging |
| Goose | ✅ | ✅ MCP App | ✅ Logging |
| Claude Code | ✅ | — | ✅ Logging |
| Cursor | ✅ | — | ✅ Logging |
| Cline | ✅ | — | ✅ Logging |
| Windsurf | ✅ | — | ✅ Logging |
| Codex | ✅ | — | ✅ Logging |
Live governance dashboard (MCP App)
In supported editors, a real-time dashboard appears automatically as your agent works:
┌─ Rigour Governance ──────────────────────────┐
│ Score: 94/100 ✅ PASS │
│ │
│ 14:32:01 rigour_check → FAIL (34/100) │
│ 14:32:03 fix_packet → 8 fixes │
│ 14:32:15 rigour_check → 71/100 (+37) │
│ 14:32:22 rigour_check → ✅ PASS 94/100 │
│ │
│ Brain: 47 patterns · trend: improving ↑ │
└───────────────────────────────────────────────┘
No extra commands. The dashboard appears when the agent calls Rigour tools. Watch your agent self-heal in real time.
What it catches
| Category | Gates |
|---|---|
| Security | Hardcoded secrets (29+ patterns), SQL injection, XSS, CSRF, prototype pollution, Shannon entropy |
| Structural | File size, cyclomatic complexity, method count, parameter count, nesting depth, TODO/FIXME |
| AI Drift | Hallucinated imports, phantom APIs, context drift, retry loop detection |
| Governance | Agent team isolation, checkpoint supervision, memory DLP |
AST-based. Not heuristics. TypeScript, JavaScript, Python, Go, Ruby, C#, Java, Kotlin, Rust.
How it works
Agent writes code → Rigour gates fire → FAIL? → Fix Packet (JSON)
↓
Agent reads exact instructions
↓
Agent fixes → PASS ✓
No human in the loop. The agent gets told exactly what's wrong, on which line, and how to fix it — in JSON it can consume.
The Brain — learns your codebase
Every scan reinforces patterns. Patterns decay when absent. At strength: 0.9, they promote to hard rules. Your project's own immune system — trained locally, zero telemetry.
First week: catches 12 violations
First month: catches 8 violations ← learning your patterns
Third month: catches 3 violations ← your agents have adapted
How it's different
| Rigour | ESLint | Cloud tools | |
|---|---|---|---|
| Runs locally, zero telemetry | ✅ | ✅ | ❌ |
| Learns YOUR codebase (Brain) | ✅ | ❌ | ❌ |
| Agent self-healing (Fix Packets) | ✅ | ❌ | ❌ |
| Works offline (GGUF sidecar) | ✅ | ✅ | ❌ |
| AI-native drift detection | ✅ | ❌ | ❌ |
| MCP-native (26 tools) | ✅ | ❌ | ❌ |
Used in production
- 19,000+ total installs across CLI and MCP
- Organically forked by Alibaba iFlow
- OWASP project — listed
- Cursor MCP directory — listed
- Zero false positives on 202-finding production audit
Quick reference
npx rigour-scan # zero-config scan
npx @rigour-labs/cli init # add gates to your project
npx @rigour-labs/cli check # run gates
npx @rigour-labs/cli check --deep # + local AI analysis
npx @rigour-labs/cli check --deep --provider claude -k sk-ant-xxx # cloud AI
npx @rigour-labs/cli studio # monitoring dashboard
Architecture
| Package | Purpose |
|---|---|
@rigour-labs/core |
Gate engine, AST analysis, Fix Packets, Brain |
@rigour-labs/cli |
init, check, scan, run, studio |
@rigour-labs/mcp |
MCP server — 26 tools for agent integration |
rigour-scan |
Zero-config shortcut: npx rigour-scan |
Stack: TypeScript strict, web-tree-sitter, Zod, Vitest.
Full docs | Technical Spec | Philosophy
MIT © Rigour Labs — Built by Ashutosh
If Rigour caught something real in your codebase — tell us.
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi