lintai docs

Appearance

Rule Reference

SEC371lintai-ai-securityguidancequalitypreviewmarkdownwarn

Copilot instructions: invalid `applyTo` shape

Path-specific GitHub Copilot instruction markdown has an invalid `applyTo` shape

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Invalid `applyTo` shape on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown

Why It Matters

Path-specific GitHub Copilot instruction files use applyTo to scope guidance to file patterns. If applyTo is empty or malformed, the file can look valid in review while silently failing to target the intended files.

What Triggers

SEC371 applies only to path-specific GitHub Copilot instruction files:

  • .github/instructions/*.instructions.md

It triggers when applyTo exists but is not one of:

  • a non-empty string
  • a non-empty sequence of non-empty strings

Examples that trigger:

  • applyTo: ""
  • applyTo: []
  • applyTo: [123]
  • applyTo: ["**/*.rs", ""]

Examples that stay clean:

  • applyTo: "**/*.rs"
  • applyTo: ["**/*.rs", "**/*.ts"]
  • fixture-like paths such as tests/fixtures/.github/instructions/review.instructions.md

False Positives

This rule now lives in the explicit guidance lane because some repositories may still be migrating older layouts. The signal is deterministic and structural, but the first release remains guidance-only until broader ecosystem usefulness is measured.

Remediation

  • set applyTo to a non-empty string glob, or
  • set applyTo to a non-empty YAML sequence of non-empty glob strings