lintai docs

Appearance

Rule Reference

SEC319lintai-ai-securitysupply-chainhardeningstableserver_jsonwarn

server.json remotes: insecure or private URL

server.json remotes entry uses an insecure or non-public remote URL

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
server_json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane
mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks MCP registry remotes[] URLs for insecure HTTP and non-public host literals without inspecting local package transport URLs.

Deterministic signal basis

ServerJsonSignals remotes[] URL analysis limited to streamable-http and sse entries.

Malicious corpus
server-json-insecure-remote-url
Benign corpus
server-json-loopback-package-transport-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variablecompatqualityserver_json
SEC321server.json remotes: literal auth headerserver.json remotes header commits literal authentication materialthreat-reviewsecurityserver_json
SEC322server.json remotes: undefined header variableserver.json remotes header value references an undefined template variablecompatqualityserver_json
SEC323server.json auth: missing explicit secret flagserver.json auth header carries material without an explicit secret flagcompatqualityserver_json

Why It Matters

server.json remotes are intended to describe public registry endpoints. Insecure HTTP or non-public host literals weaken transport trust or leak private topology into published registry metadata.

What Triggers

SEC319 applies to server.json remotes[] entries and triggers when a remote URL is:

  • explicitly http://, or
  • a non-public host literal in the registry remote entry

It does not inspect package transport URLs.

Example that triggers:

json
{
  "remotes": [
    {
      "type": "streamable-http",
      "url": "http://example.com/mcp"
    }
  ]
}

Example that stays clean:

json
{
  "packages": [
    {
      "transport": {
        "type": "streamable-http",
        "url": "http://localhost:8080/mcp"
      }
    }
  ]
}

False Positives

This rule is intentionally scoped to registry remotes[] entries, not all URL fields in the document. That avoids flagging local package transport details that are outside the public remote surface.

Remediation

Use a public HTTPS remote URL in the registry entry or remove the non-public literal from the remote definition.