lintai docs

Appearance

Rule Reference

SEC302lintai-ai-securitysupply-chainhardeningstablejsonwarn

Config: insecure HTTP endpoint

Configuration contains an insecure http:// endpoint

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
suggestion
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit insecure http:// endpoints in configuration values.

Deterministic signal basis

JsonSignals precise http:// endpoint span resolution from parsed JSON location map.

Malicious corpus
mcp-plain-http
Benign corpus
mcp-trusted-endpoint-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationsupply-chainhardeningjson
SEC330MCP config: remote content piped to shellMCP configuration command downloads remote content and pipes it into a shellsupply-chainsecurityjson
SEC331MCP config: TLS verification disabledMCP configuration command disables TLS verification in a network-capable execution pathsupply-chainhardeningjson
SEC337MCP config: Docker image not digest-pinnedMCP configuration launches Docker with an image reference that is not digest-pinnedsupply-chainhardeningjson
SEC343Plugin hook: mutable package launcherPlugin hook command uses a mutable package launchersupply-chainhardeningjson
SEC344Plugin hook: remote content piped to shellPlugin hook command downloads remote content and pipes it into a shellsupply-chainsecurityjson

Why It Matters

Committed config that points to http:// endpoints weakens transport integrity and confidentiality. For MCP and related config artifacts, that usually means the client is opting into a non-verified remote transport where HTTPS or local stdio would be safer.

What Triggers

SEC302 applies to parsed JSON configuration values and triggers on explicit insecure http:// endpoint literals.

Example that triggers:

json
{"url":"http://internal.test"}

Example that stays clean:

json
{"url":"https://internal.test"}

False Positives

This is a structural endpoint rule, not a prose heuristic. It reports the concrete http:// span from parsed JSON values and ignores non-endpoint text.

Remediation

Replace the insecure endpoint with HTTPS or a local stdio transport. When the finding is a direct http:// literal, the built-in suggestion can rewrite the prefix to https://.