lintai docs

Appearance

Rule Reference

SEC348lintai-ai-securitysupply-chainhardeningpreviewmarkdownwarn

AI markdown: mutable Docker image

AI-native markdown Docker example uses a mutable registry image

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Mutable Docker image examples in markdown can be legitimate setup guidance, so the first release stays in the explicit supply-chain lane rather than a stronger default posture.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC347AI markdown: MCP via mutable package runnerAI-native markdown example launches MCP through a mutable package runnersupply-chainhardeningmarkdown
SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcesupply-chainhardeningmarkdown
SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown
SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown
SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown
SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown

Why It Matters

SEC348 flags AI-native markdown that recommends docker run against a mutable registry image instead of a digest-pinned image.

These examples are common in setup docs, but they weaken reproducibility:

  • the same command can pull different content over time
  • reviewers cannot tell which image digest the docs actually endorsed
  • community users often copy-paste these examples directly into local automation

Positioning

This is a context-sensitive preview rule. The detector is structural and useful, but many real setup docs deliberately trade reproducibility for simplicity, so the finding should be reviewed as hardening guidance rather than treated as a universal badness signal.

The point of the finding is to surface mutability and reviewability tradeoffs, not to claim that every unpinned image example is an active security incident.

What Triggers

SEC348 applies only to AI-native markdown and triggers when:

  • the region contains a literal docker run
  • the image token looks like a public or registry image
  • the image is not pinned with @sha256:...

Examples that trigger:

text
docker run -p 6333:6333 qdrant/qdrant
docker run -p 6006:6006 arizephoenix/phoenix:latest
docker run -t owasp/zap2docker-stable zap-full-scan.py

Examples that stay clean:

text
docker run ghcr.io/acme/server@sha256:0123...
docker run my-app:latest

my-app:latest stays clean because it looks like a local image name, not clearly a registry-distributed dependency.

False Positives

This rule stays Preview because many docs intentionally optimize for simplicity over reproducibility. The finding is still useful as guidance, but it should not yet be read as proof of a dangerous runtime configuration.

Remediation

The cleanest remediation is to publish examples with digest-pinned images:

text
docker run ghcr.io/acme/server@sha256:0123...

If a digest-pinned example is not practical, add explicit reproducibility guidance so users understand the tradeoff and do not assume the example is stable forever.