lintai docs

Appearance

Rule Reference

SEC470lintai-ai-securitygovernancehardeningstablemarkdownwarn

AI markdown: `Bash(su:*)` tool grant

AI-native markdown frontmatter grants `Bash(su:*)` authority

Public lane
governance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native frontmatter for explicit wildcard su grants in shared allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for `Bash(su:*)` inside allowed-tools or allowed_tools.

Malicious corpus
skill-su-allowed-tools
Benign corpus
skill-su-allowed-tools-specific-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessgovernancehardeningmarkdown
SEC423AI markdown: bare Read tool grantAI-native markdown frontmatter grants bare `Read` tool accessgovernancehardeningmarkdown
SEC424AI markdown: bare Write tool grantAI-native markdown frontmatter grants bare `Write` tool accessgovernancehardeningmarkdown
SEC425AI markdown: bare Edit tool grantAI-native markdown frontmatter grants bare `Edit` tool accessgovernancehardeningmarkdown
SEC426AI markdown: bare Glob tool grantAI-native markdown frontmatter grants bare `Glob` tool accessgovernancehardeningmarkdown
SEC427AI markdown: bare Grep tool grantAI-native markdown frontmatter grants bare `Grep` tool accessgovernancehardeningmarkdown

SEC470 / MD-SU-ALLOWED-TOOLS flags AI-native markdown frontmatter that grants blanket su authority through allowed-tools.

Why this matters:

  • Bash(su:*) gives broad privilege-switch authority as a default shared capability
  • the grant is wider than a reviewed privilege-switch workflow
  • shared instructions should prefer a narrow scoped command instead of open-ended user switching

Triggers:

yaml
allowed-tools: Bash(su:*)

Does not trigger:

yaml
allowed-tools: Bash(su deploy)

Remediation:

  • replace Bash(su:*) with a narrower reviewed privilege-switch command or remove the grant entirely