lintai docs

Appearance

Rule Reference

SEC336lintai-ai-securitygovernancehardeningpreviewjsonwarn

MCP client config: broad envFile

Repo-local MCP client config loads a broad dotenv-style envFile

Public lane
governance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane
mcpsurface preset

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Broad envFile loading is useful review signal, but whether it is materially risky still depends on repo-local review policy and env contents.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC307Config: sensitive env forwardingConfiguration forwards sensitive environment variable referencesgovernancehardeningjson
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesgovernancehardeningjson
SEC394MCP config: wildcard auto-approveMCP configuration auto-approves all tools with `autoApprove: ["*"]`governancehardeningjson
SEC395MCP config: autoApproveTools trueMCP configuration auto-approves all tools with `autoApproveTools: true`governancehardeningjson
SEC396MCP config: trustTools trueMCP configuration fully trusts tools with `trustTools: true`governancehardeningjson
SEC397MCP config: sandbox disabledMCP configuration disables sandboxing with `sandbox: false` or `disableSandbox: true`governancehardeningjson

Why It Matters

Broad repo-local .env loading can silently inject more credentials and local state than the MCP client or server actually needs. That makes the committed client config less reviewable and widens secret exposure by default.

What Triggers

SEC336 applies to repo-local MCP client config such as .cursor/mcp.json or .vscode/mcp.json and triggers when a server entry loads a broad dotenv-style envFile.

Example that triggers:

json
{"servers":{"demo":{"envFile":".env"}}}

Examples that stay clean:

json
{"servers":{"demo":{"envFile":"configs/server.env.json"}}}
{"servers":{"demo":{"envFile":"${workspaceFolder}/.env"}}}

False Positives

This rule stays Preview because whether broad env-file loading is materially risky depends on repo policy and the actual env contents. The signal is still useful as a review prompt because the client config is opting into wide secret ingestion.

Remediation

Prefer narrower explicit env injection over broad repo-local .env files for committed MCP client configs, or make the path clearly workspace-scoped and reviewable.