lintai docs

Appearance

Rule Reference

SEC354lintai-ai-securityguidancequalitypreviewmarkdownwarn

Copilot instructions: missing `applyTo`

Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatter

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Missing `applyTo` on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while external usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown
SEC359Cursor rule: `alwaysApply` typeCursor rule frontmatter `alwaysApply` must be booleanguidancequalitymarkdown

Why It Matters

Path-specific GitHub Copilot instruction files under .github/instructions/ are meant to scope behavior to a file pattern. Without applyTo, the document is harder to reason about and can silently fail to target the files the author intended.

What Triggers

SEC354 applies only to path-specific GitHub Copilot instruction files:

  • .github/instructions/*.instructions.md

It triggers when:

  • the file has no frontmatter at all, or
  • the frontmatter parses successfully but does not contain applyTo

Examples that trigger:

  • .github/instructions/review.instructions.md with no frontmatter
  • a path-specific instruction file with frontmatter like title: Review but no applyTo

Examples that stay clean:

  • frontmatter with applyTo: "**/*.rs"
  • fixture-like paths such as tests/fixtures/.github/instructions/review.instructions.md
  • files with invalid YAML frontmatter, which stay outside this rule to avoid mixing parse recovery with applyTo policy

False Positives

This rule now lives in the explicit guidance lane because some repos may still be migrating older instruction layouts. The rule is about deterministic Copilot configuration quality, not a claim that the repository is insecure by itself.

Remediation

Add explicit applyTo frontmatter to each path-specific instruction file, for example:

yaml
---
applyTo: "**/*.rs"
---

If the content is meant to be repository-wide instead of path-specific, move it into .github/copilot-instructions.md.