lintai docs

Appearance

Rule Reference

SEC370lintai-ai-securityguidancequalitypreviewmarkdownwarn

Copilot instructions: wrong path-specific suffix

Path-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffix

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Wrong suffix on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown

Why It Matters

Path-specific GitHub Copilot instruction files under .github/instructions/ need the .instructions.md suffix to participate in the expected layout contract. A plain .md filename can look correct in review but silently miss the intended path-specific behavior.

What Triggers

SEC370 applies only to path-specific GitHub Copilot instruction markdown under:

  • .github/instructions/*.md

It triggers when:

  • the file is under .github/instructions/
  • the file ends with .md
  • the file does not end with .instructions.md

Examples that trigger:

  • .github/instructions/review.md
  • .github/instructions/security-guidelines.md

Examples that stay clean:

  • .github/instructions/review.instructions.md
  • .github/copilot-instructions.md
  • fixture-like paths such as tests/fixtures/.github/instructions/review.md

False Positives

This rule now lives in the explicit guidance lane because some repositories may still be migrating older layouts. The signal is deterministic and structural, but the first release remains guidance-only until broader ecosystem usefulness is measured.

Remediation

  • rename path-specific Copilot instruction files to *.instructions.md
  • keep repository-wide Copilot guidance in .github/copilot-instructions.md