Skip to main content

Getting Started

Get SigmaShake governance running in your project in under 2 minutes.

Option A — AI Agent Setup (Recommended)

If you use Claude Code, Cursor, Windsurf, Antigravity, or any other MCP-compatible AI coding agent, this is the fastest path. Two commands, then just talk to your agent.

Step 1 — Install the CLI

# Via curl (auto-detects platform):
curl -fsSL https://sigmashake.com/install | sh

# Or via npm:
pnpm add -g @sigmashake/ssg

# Or via Docker (OS-agnostic — works on Alpine/musl and old-glibc hosts):
docker pull ghcr.io/sigmashakeinc/ssg:latest
alias ssg='docker run --rm -i -v "$PWD:/work" -w /work ghcr.io/sigmashakeinc/ssg:latest'

# Or via Flatpak (Linux — Fedora, Arch, openSUSE, Steam Deck, Pop!_OS, …):
flatpak remote-add --if-not-exists sigmashake \
  https://flatpak.sigmashake.com/sigmashake.flatpakrepo
flatpak install sigmashake com.sigmashake.SSG
alias ssg='flatpak run com.sigmashake.SSG'

Which one? npm and curl produce a glibc-linked binary (Ubuntu 20.04+, Debian 10+, macOS, Windows). Use Docker on Alpine, Chimera, or any host with glibc older than 2.24 — the image bundles its own userspace and runs anywhere a container runtime exists. Use Flatpak when you want sandboxed install + delta auto-updates and you're on a distro where Flatpak is already first-class (Fedora, Arch, openSUSE, Steam Deck, GNOME / KDE app stores).

On Windows?

No terminal at all? Download SigmaShake Desktop — a tray-icon desktop app that sets everything up for you with no terminal required.

Have a terminal? All three options work. The PowerShell one-liner is the fastest:

iwr -useb sigmashake.com/install.ps1 | iex

Or use winget (winget install SigmaShake.SSG) or npm (pnpm add -g @sigmashake/ssg).

How do I open PowerShell? Press Win + X, then click Terminal (Windows 11) or Windows PowerShell (Windows 10).

Step 2 — Connect your AI agent

# Auto-detects your AI client (Claude Code, Antigravity, Cursor, etc.):
ssg init --client=claude-code

# Or specify explicitly:
ssg init --client=antigravity
ssg init --client=gemini
ssg init --client=codex

# Want to see what `ssg init` will change before it runs? Use --dry-run:
ssg init --dry-run --client=claude-code

ssg init prints a per-file preview showing exactly which files and lines it will create or modify, with revert commands next to each one. Confirm with Y to proceed.

After install, .sigmashake/install-manifest.json records every file SSG touched. Re-read it any time with ssg whatchanged. For the full breakdown of every config file SSG knows how to write, see What SSG Changes on Your Machine.

This writes the ssg-governance MCP server into your AI client's config file — no manual JSON editing required. Restart your AI client once.

Step 3 — Just ask

Open your AI agent and say:

"Set up SigmaShake governance for my project"

The agent calls ssg_onboard, which automatically:

  1. Detects your tech stack (TypeScript, React, Go, Python, Docker, etc.)
  2. Creates .sigmashake/config.toml and starter security rules
  3. Pulls matching rulesets from hub.sigmashake.com
  4. Runs ssg lint to verify everything
  5. Returns a health summary

That's it. You're protected.

What else can you ask?

Say this to your agentWhat happens
"Set up SigmaShake for my project"Full one-shot setup (ssg_onboard)
"Check if governance is working"Health diagnostics (ssg_doctor)
"Find Docker security rules on the Hub"Ruleset search (ssg_hub_search)
"Install rules-typescript"Ruleset installation (ssg_hub_pull)
"Block any npm publish without my approval"Custom rule creation (ssg_write_rule)
"Show my current plan and active rules"Status report (ssg_status)

Option B — Manual CLI Setup

Prefer to do it yourself? Run these four commands:

# 1. Install
pnpm add -g @sigmashake/ssg

# 2. Authenticate (browser opens accounts.sigmashake.com — one click if already signed in)
ssg auth login

# 3. Initialize your project
cd your-project
ssg init

# 4. Pull rulesets for your stack
ssg hub pull rules-typescript     # adjust to your stack
ssg hub pull rules-react
ssg hub pull rules-docker

Verify everything works:

ssg lint             # check rule syntax
ssg status           # system health + active rule count
ssg doctor           # full diagnostic report

Start the governance dashboard (optional — shows real-time audit log + approval queue):

ssg serve            # opens http://localhost:5599

Authentication

Authentication links your machine to your SigmaShake plan tier (Free / Pro / Enterprise).

ssg auth login

Select Browser (recommended). Your browser opens to accounts.sigmashake.com — if you're already signed in via GitHub, Google, or your company's SSO, just click Authorize ssg CLI. Token flows back to the CLI automatically.

Enterprise SSO

ssg auth login --sso

See Fleet SSO Setup for Okta, Azure AD, and SAML 2.0 guides.

API Key

ssg auth login --token=YOUR_API_KEY

Write your first rule

Rules live in .sigmashake/rules/. Create a file and write:

rule block-force-push {
  enabled true
  priority 100
  severity error
  DENY execution
  IF command CONTAINS "git push --force"
  OR command CONTAINS "git push -f"
  MESSAGE "Force push is blocked. Use --force-with-lease instead."
}

Then verify:

ssg lint      # ✓ 1 rule OK
ssg list      # shows all active rules

See Rule Syntax for the full language reference.

Test a rule manually

echo '{"tool":"Bash","input":{"command":"git push --force origin main"}}' | ssg eval

Output:

{
  "decision": "block",
  "rule_id": "block-force-push",
  "reason": "Force push is blocked. Use --force-with-lease instead.",
  "duration_ms": 1
}

Integrate with Claude Code

ssg init --client claude-code

This patches .claude/settings.json with:

  • Hookssg hook eval runs before every tool call
  • Permissions — 14 standard tools pre-approved, 18 destructive patterns pre-denied

See Claude Code Integration for the full setup guide.

Next steps

Join the Community

Get help, share your rulesets, and follow what's shipping:

  • 💬 Discord — the fastest way to get support and talk to other SSG users
  • 🟣 Slack — for teams who prefer Slack
  • 🐙 GitHub — report bugs, request features, or contribute