Rule Reference

SEC471lintai-ai-securitysupply-chainhardeningstablemarkdownwarn

AI markdown: git sslVerify false

AI-native markdown disables Git TLS verification with `http.sslVerify false`

Public lane: supply-chain
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: markdown
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown for exact `git config` examples that disable Git TLS verification through `http.sslVerify false`.

Deterministic signal basis

MarkdownSignals exact `git config` token analysis with `http.sslVerify false` or `http.sslVerify=false` detection inside parsed markdown regions, excluding safety-warning phrasing.

Malicious corpus

skill-git-sslverify-false

Benign corpus

skill-git-sslverify-true-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcesupply-chainhardeningmarkdown

SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown

SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown

SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown

SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown

SEC452AI markdown: cargo http indexAI-native markdown installs Rust packages from an insecure `http://` indexsupply-chainhardeningmarkdown

SEC471 flags AI-native markdown when an exact git config example disables Git transport verification with http.sslVerify false or http.sslVerify=false.

Why this matters

Turning off http.sslVerify disables normal TLS verification for Git HTTP transport. In shared AI-native instructions, that converts a risky trust-bypass workaround into copy-pastable setup guidance.

What triggers it

a parsed markdown region contains git config
the same region also contains:
- http.sslVerify false
- or http.sslVerify=false

The finding points to the http.sslVerify false token.

What does not trigger it

git config http.sslVerify true
safety guidance such as Do not use git config http.sslVerify false
unrelated prose that mentions Git without the exact config form

Example

bash

git config http.sslVerify false

Better

bash

git config http.sslVerify true

Remediation

Remove http.sslVerify false and keep Git transport verification enabled instead of teaching a shared TLS-bypass workflow.

AI markdown: git sslVerify false

Preset Activation

Stable Lifecycle Contract

Related Rules

Why this matters ​

What triggers it ​

What does not trigger it ​

Example ​

Better ​