lintai docs

Appearance

Rule Reference

SEC364lintai-ai-securitygovernancehardeningstableclaude_settingswarn

Claude settings: bypassPermissions default mode

Claude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed config

Public lane
governance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
claude_settings
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane
claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks shared Claude settings for explicit `permissions.defaultMode = bypassPermissions`.

Deterministic signal basis

ClaudeSettingsSignals exact string detection for `permissions.defaultMode = bypassPermissions` on parsed Claude settings JSON.

Malicious corpus
claude-settings-bypass-permissions
Benign corpus
claude-settings-bypass-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configgovernancehardeningclaude_settings
SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configgovernancehardeningclaude_settings
SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configgovernancehardeningclaude_settings
SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configgovernancehardeningclaude_settings
SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configgovernancehardeningclaude_settings
SEC374Claude settings: wildcard WebSearch permissionsClaude settings permissions allow `WebSearch(*)` in a shared committed configgovernancehardeningclaude_settings

Why It Matters

SEC364 flags committed Claude settings that set permissions.defaultMode to bypassPermissions.

This is useful because:

  • shared Claude settings in git are team-facing policy, not a one-off local override
  • bypassPermissions weakens the review boundary for tool execution in a way that is hard to notice later
  • narrower shared permission modes with explicit allowlists are easier for teams to audit and trust

What Triggers

This rule applies only to committed Claude settings surfaces:

  • .claude/settings.json
  • claude/settings.json

It triggers only on the exact structural shape:

  • permissions.defaultMode = "bypassPermissions"

It does not trigger on:

  • other defaultMode values
  • settings files under fixture-like test/example paths
  • prose or markdown references outside real Claude settings JSON

Examples

Bad:

json
{
  "permissions": {
    "defaultMode": "bypassPermissions",
    "allow": ["Read", "Write"]
  }
}

Better:

json
{
  "permissions": {
    "defaultMode": "default",
    "allow": ["Read", "Write"]
  }
}

Remediation

  • replace bypassPermissions with a narrower shared permissions mode
  • keep broad grants behind explicit reviewed allowlists instead of a global bypass default
  • treat committed Claude settings as team policy, not as a personal local convenience file