lintai docs

Appearance

Rule Reference

SEC462lintai-ai-securitysupply-chainhardeningstablemarkdownwarn

AI markdown: network TLS bypass

AI-native markdown disables TLS verification for a network-capable command

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown for exact network-command examples that disable TLS verification, including PowerShell certificate-bypass forms.

Deterministic signal basis

MarkdownSignals exact command-token analysis with `--insecure`, `-k`, `--no-check-certificate`, `-SkipCertificateCheck`, or `NODE_TLS_REJECT_UNAUTHORIZED=0` detection inside parsed markdown regions, with safety-guidance suppression.

Malicious corpus
skill-markdown-network-tls-bypassskill-markdown-network-tls-bypass-powershell
Benign corpus
skill-markdown-network-tls-bypass-warning-safeskill-markdown-network-tls-bypass-powershell-warning-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcesupply-chainhardeningmarkdown
SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown
SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown
SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown
SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown
SEC452AI markdown: cargo http indexAI-native markdown installs Rust packages from an insecure `http://` indexsupply-chainhardeningmarkdown

SEC462 / MD-NETWORK-TLS-BYPASS

SEC462 flags AI-native markdown when a network-capable command example disables TLS verification with --insecure, -k, --no-check-certificate, -SkipCertificateCheck, or NODE_TLS_REJECT_UNAUTHORIZED=0.

Why It Matters

Disabling TLS verification removes normal certificate checks from a network fetch. In shared AI-native instructions, that turns a transport-bypass into copy-pastable setup guidance.

Positioning

SEC462 is structurally strong, but still context-sensitive in practice. Security training, lab, and internal bootstrap docs can intentionally show TLS-bypass examples, so the finding is best read as a transport-hardening signal, not as proof of malicious intent.

What Triggers It

  • AI-native markdown surface
  • the same parsed markdown region contains a network-capable command example such as:
    • curl
    • wget
    • or a request using http:// / https://
  • the same region also contains one of:
    • --insecure
    • -k
    • --no-check-certificate
    • -SkipCertificateCheck
    • NODE_TLS_REJECT_UNAUTHORIZED=0

The finding points to the TLS-bypass token itself.

What Does Not Trigger It

  • normal verified curl or wget examples without TLS bypass
  • normal verified Invoke-WebRequest or Invoke-RestMethod examples without TLS bypass
  • safety-oriented guidance such as Do not use curl --insecure ...
  • unrelated prose that mentions TLS without a matching network command

Example

Bad:

bash
curl --insecure https://internal.example.test/bootstrap.sh -o bootstrap.sh
powershell
Invoke-WebRequest https://internal.example.test/bootstrap.ps1 -SkipCertificateCheck

Better:

bash
curl https://internal.example.test/bootstrap.sh -o bootstrap.sh
powershell
Invoke-WebRequest https://internal.example.test/bootstrap.ps1

Remediation

Remove the TLS-bypass flag or env override and keep normal certificate verification enabled for the network command.