lintai docs

Appearance

Rule Reference

SEC361lintai-ai-securitycompatqualitypreviewclaude_settingswarn

Claude settings: missing `$schema`

Claude settings file is missing a top-level `$schema` reference

Public lane
compat
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
claude_settings
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Config, schema, and policy contract review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

compatsidecar lane
claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks shared committed Claude settings for omission of a top-level `$schema` reference.

Deterministic signal basis

ClaudeSettingsSignals exact top-level `$schema` presence detection in parsed Claude settings JSON.

Malicious corpus
claude-settings-missing-schema
Benign corpus
claude-settings-schema-present-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configcompatqualityclaude_settings
SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configcompatqualityclaude_settings
SEC381Claude settings: command hook missing `timeout`Claude settings command hook should set `timeout` in a shared committed configcompatqualityclaude_settings
SEC382Claude settings: `matcher` on unsupported hook eventClaude settings should not use `matcher` on unsupported hook eventscompatqualityclaude_settings
SEC383Claude settings: missing `matcher` on matcher-capable hook eventClaude settings should set `matcher` on matcher-capable hook eventscompatqualityclaude_settings
SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configsupply-chainhardeningclaude_settings

Why It Matters

SEC361 flags committed Claude settings files that omit a top-level $schema reference.

This is useful because:

  • shared .claude/settings.json files are configuration artifacts, not free-form notes
  • a schema reference improves editor validation and makes team-owned settings easier to review
  • the failure mode is community-hostile: the file looks authoritative, but misses a low-cost interoperability hint that many users expect in checked-in JSON config

Positioning

This is a compat rule, not a headline security finding. The signal is about shared config correctness and reviewer ergonomics on team-owned Claude settings.

What Triggers

This rule applies only to committed Claude settings surfaces:

  • .claude/settings.json
  • claude/settings.json

It triggers when:

  • the JSON parses as a top-level object
  • and the object does not contain $schema

Example that triggers:

json
{
  "hooks": {
    "Stop": []
  }
}

Example that stays clean:

json
{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "hooks": {
    "Stop": []
  }
}
  • fixture-like paths under tests/, fixtures/, examples/, or samples/

False Positives

Some repositories intentionally keep Claude settings minimal or target editor setups without schema-aware validation. The signal is about deterministic configuration quality and maintainability, not about exploitability, which is why it now belongs in the compat lane rather than the main security preview lane.

Remediation

Add the top-level SchemaStore URL:

json
{
  "$schema": "https://json.schemastore.org/claude-code-settings.json"
}

Keep the rest of the settings file unchanged. The goal is to make shared Claude settings easier to validate and review, not to change runtime behavior.