lintai docs

Appearance

Rule Reference

SEC417lintai-ai-securitysupply-chainhardeningstablemarkdownwarn

AI markdown: unpinned pip git install

AI-native markdown installs Python packages from an unpinned `git+https://` source

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown for `pip install` examples that pull directly from mutable git+https sources without commit pinning.

Deterministic signal basis

MarkdownSignals exact `pip install` plus `git+https://` token analysis with commit-pin detection inside parsed markdown regions.

Malicious corpus
claude-unpinned-pip-git-install
Benign corpus
claude-unpinned-pip-git-install-commit-pinned-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown
SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown
SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown
SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown
SEC452AI markdown: cargo http indexAI-native markdown installs Rust packages from an insecure `http://` indexsupply-chainhardeningmarkdown
SEC453AI markdown: pip http sourceAI-native markdown installs Python packages from an insecure direct `http://` sourcesupply-chainhardeningmarkdown

SEC417 / MD-PIP-GIT-UNPINNED

AI-native markdown installs Python packages from an unpinned git+https:// source.

Why It Matters

pip install git+https://... examples teach users to install directly from mutable repository state instead of a published release or a commit-pinned reference. In shared AI setup docs, those examples are easy to copy unchanged and are hard to reproduce later.

Treat this as supply-chain hardening guidance about mutability and reviewability, not as proof that the referenced repository is compromised.

Trigger Shape

This rule applies to AI-native markdown surfaces such as SKILL.md, CLAUDE.md, Copilot instruction files, and similar instruction markdown already classified by the scanner.

The rule triggers when the same markdown line contains:

  • pip install, pip3 install, or python -m pip install
  • git+https://
  • no immutable commit-style ref in the git URL

Mutable refs like @main still trigger.

Clean Cases

  • pip3 install "pkg @ git+https://github.com/org/repo.git@8a1a0ec"
  • published package install commands without a git URL

Example Trigger

bash
pip install git+https://github.com/pytorch/ao.git
bash
pip install -U git+https://github.com/facebookresearch/xformers.git@main#egg=xformers

Safer Example

bash
pip3 install "pkg @ git+https://github.com/org/repo.git@8a1a0ec"

How To Fix

  • replace the git-backed install with a published package release
  • or pin the git URL to an immutable commit reference