lintai docs

Appearance

Rule Reference

SEC349lintai-ai-securitythreat-reviewauditpreviewmarkdownwarn

AI markdown: privileged Docker pattern

AI-native markdown Docker example uses a host-escape or privileged runtime pattern

Public lane
threat-review
Category
audit
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Heuristic or triage-oriented review signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane
skillssurface preset

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Docker host-escape examples are strong threat-review signals, but infra-debugging and lab material can still document them intentionally.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsthreat-reviewauditmarkdown
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksthreat-reviewauditmarkdown
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionthreat-reviewauditmarkdown
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksthreat-reviewauditmarkdown
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessthreat-reviewauditmarkdown
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellthreat-reviewauditmarkdown

Why It Matters

Privileged Docker examples in AI-native markdown are easy to copy into local execution without the surrounding caveats. Patterns like --privileged, host namespaces, or a docker.sock mount turn shared docs into operational guidance for container-to-host escape or host-level control.

Positioning

This is a context-sensitive threat-review rule. The detector points at real host-escape patterns, but infra debugging, security labs, and some ops runbooks may intentionally document them.

What Triggers

SEC349 applies only to AI-native markdown and triggers when a docker run example includes a host-escape or privileged runtime pattern such as:

  • --privileged
  • --network host
  • --pid host
  • --ipc host
  • bind mounts or mounts of /var/run/docker.sock

Examples that trigger:

text
docker run --privileged ghcr.io/acme/tool
docker run --network host ghcr.io/acme/tool
docker run -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/acme/tool

Examples that stay clean:

text
docker run qdrant/qdrant
docker run ghcr.io/acme/server@sha256:0123...

False Positives

This rule remains in threat-review because security-lab or infra-debugging docs may intentionally show these commands. The detector is still valuable because it identifies real host-escape patterns, but the surrounding context can be legitimate and should be reviewed before escalation.

Remediation

Prefer examples without privileged flags, host namespaces, or docker.sock mounts. If the risky pattern is intentionally documented for lab use, label it explicitly as a dangerous exception instead of presenting it as a normal setup step.