lintai docs

Appearance

Rule Reference

SEC205lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: hardcoded auth in network call

Hook script embeds static authentication material in a network call

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
hook
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches literal static auth material in hook URLs or authorization headers.

Deterministic signal basis

HookSignals userinfo/header literal extraction excluding dynamic references.

Malicious corpus
hook-static-auth-userinfo
Benign corpus
hook-auth-dynamic-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook
SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook
SEC633Hook script: destructive root deletionHook script attempts destructive root deletionthreat-reviewsecurityhook

Why It Matters

Embedding literal credentials directly in hook URLs or headers makes the committed hook itself a secret-bearing artifact. That creates both credential exposure risk and hard-to-rotate auth paths.

What Triggers

SEC205 applies to executable hook shell lines and triggers when literal auth material appears in:

  • URL userinfo
  • authorization headers
  • other direct auth-carrying network parameters

Examples that trigger:

sh
curl https://deploy-token@internal.test/bootstrap.sh -o /tmp/bootstrap.sh
curl -H 'Authorization: Bearer static-token-value' https://internal.test/bootstrap.sh

Example that stays clean:

sh
curl https://${DEPLOY_TOKEN}@internal.test/bootstrap.sh -o /tmp/bootstrap.sh

False Positives

This rule excludes dynamic placeholders and environment-backed auth references. It is aimed at committed literal credentials, not at all auth usage.

Remediation

Move embedded credentials out of URLs and headers into environment or provider-local auth configuration. There is no built-in fix because the correct credential source is deployment-specific.