lintai docs

Appearance

Rule Reference

SEC323lintai-ai-securitycompatqualitypreviewserver_jsonwarn

server.json auth: missing explicit secret flag

server.json auth header carries material without an explicit secret flag

Public lane
compat
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
server_json
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Config, schema, and policy contract review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

compatsidecar lane
mcpsurface preset

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Registry producers do not all enforce the same explicit secret-marker contract, so this remains a compatibility review signal until wider producer evidence converges.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variablecompatqualityserver_json
SEC322server.json remotes: undefined header variableserver.json remotes header value references an undefined template variablecompatqualityserver_json
SEC319server.json remotes: insecure or private URLserver.json remotes entry uses an insecure or non-public remote URLsupply-chainhardeningserver_json
SEC321server.json remotes: literal auth headerserver.json remotes header commits literal authentication materialthreat-reviewsecurityserver_json

Why It Matters

SEC323 flags server.json auth-carrying header entries that use a value or variables without an explicit isSecret or is_secret marker.

This is not a literal-secret detector. It is a policy-shape rule for server registry entries: when an auth header carries credential material, the manifest should mark that fact explicitly so downstream tooling can treat it as secret-bearing config.

What Triggers

SEC323 applies to server.json remotes header entries and triggers when:

  • the header looks auth-like, such as Authorization or x-api-key
  • the header carries value or variable-backed material
  • and the same header object does not explicitly set isSecret or is_secret to true

Example that triggers:

json
{
  "headers": [
    {
      "name": "x-api-key",
      "value": "{API_KEY}",
      "variables": {
        "API_KEY": { "description": "API key" }
      }
    }
  ]
}

Example that stays clean:

json
{
  "headers": [
    {
      "name": "x-api-key",
      "value": "{API_KEY}",
      "variables": {
        "API_KEY": { "description": "API key" }
      },
      "isSecret": true
    }
  ]
}

False Positives

This rule stays Preview because secret-policy expectations can vary across registry producers. The finding is useful as a consistency and secret-handling signal, but it is not equivalent to proving that a literal credential was committed.

Remediation

Mark auth-carrying header entries with isSecret: true or is_secret: true when they carry value or variable-backed credential material.