lintai docs

Appearance

Rule Reference

SEC346lintai-ai-securitysupply-chainhardeningstablejsonwarn

MCP config: mutable registry refresh

MCP configuration forces Docker to refresh from a mutable registry source

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed MCP config Docker launch paths for explicit --pull always refresh policies that force a mutable registry fetch at runtime.

Deterministic signal basis

JsonSignals docker run argument analysis over ArtifactKind::McpConfig objects, limited to explicit --pull=always or --pull always forms.

Malicious corpus
gemini-mcp-docker-pull-always
Benign corpus
gemini-mcp-docker-digest-pinned-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointsupply-chainhardeningjson
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationsupply-chainhardeningjson
SEC330MCP config: remote content piped to shellMCP configuration command downloads remote content and pipes it into a shellsupply-chainsecurityjson
SEC331MCP config: TLS verification disabledMCP configuration command disables TLS verification in a network-capable execution pathsupply-chainhardeningjson
SEC337MCP config: Docker image not digest-pinnedMCP configuration launches Docker with an image reference that is not digest-pinnedsupply-chainhardeningjson
SEC343Plugin hook: mutable package launcherPlugin hook command uses a mutable package launchersupply-chainhardeningjson

Why It Matters

Forcing Docker to refresh from the registry at runtime weakens reproducibility even when the image name itself looks reviewed. In committed MCP config, --pull always turns the launch path back into a mutable registry fetch.

What Triggers

SEC346 applies to committed MCP config Docker launch paths and triggers on explicit:

  • --pull=always
  • --pull always

forms in docker run command arguments.

Examples that trigger:

json
{"command":"docker","args":["run","--pull","always","ghcr.io/acme/server@sha256:..."]}
{"command":"docker","args":["run","--pull=always","ghcr.io/acme/server:1.2.3"]}

Example that stays clean:

json
{"command":"docker","args":["run","ghcr.io/acme/server@sha256:0123456789abcdef"]}

False Positives

The rule is structural and only looks for explicit forced-pull policies in actual MCP Docker launch paths. It does not treat every mutable image reference as the same class of finding.

Remediation

Remove the forced Docker pull policy from the committed config and prefer pinned, reproducible image references.