Rule Reference

SEC472lintai-ai-securitysupply-chainhardeningstablemarkdownwarn

AI markdown: GIT_SSL_NO_VERIFY

AI-native markdown disables Git TLS verification with `GIT_SSL_NO_VERIFY`

Public lane: supply-chain
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: markdown
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown for exact Git command examples that disable TLS verification through `GIT_SSL_NO_VERIFY`.

Deterministic signal basis

MarkdownSignals exact `GIT_SSL_NO_VERIFY=1` or `GIT_SSL_NO_VERIFY=true` token analysis when a Git command appears in the same parsed markdown region, excluding safety-warning phrasing.

Malicious corpus

skill-git-ssl-no-verify

Benign corpus

skill-git-ssl-no-verify-disabled-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcesupply-chainhardeningmarkdown

SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown

SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown

SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown

SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown

SEC452AI markdown: cargo http indexAI-native markdown installs Rust packages from an insecure `http://` indexsupply-chainhardeningmarkdown

SEC472 flags AI-native markdown when an exact Git command example disables transport verification through GIT_SSL_NO_VERIFY=1 or GIT_SSL_NO_VERIFY=true.

Why this matters

GIT_SSL_NO_VERIFY disables normal TLS verification for Git HTTP transport. In shared AI-native instructions, that turns a risky trust-bypass workaround into copy-pastable setup guidance.

What triggers it

a parsed markdown region contains:
- GIT_SSL_NO_VERIFY=1
- or GIT_SSL_NO_VERIFY=true
and the same region also contains a Git command

The finding points to the GIT_SSL_NO_VERIFY token.

What does not trigger it

GIT_SSL_NO_VERIFY=0 git ...
safety guidance such as Avoid GIT_SSL_NO_VERIFY=1 git clone ...
unrelated prose that mentions the variable without a Git command

Example

bash

GIT_SSL_NO_VERIFY=1 git clone https://github.com/acme/demo.git

Better

bash

git clone https://github.com/acme/demo.git

Remediation

Remove GIT_SSL_NO_VERIFY and keep Git transport verification enabled instead of teaching a shared TLS-bypass workflow.

AI markdown: GIT_SSL_NO_VERIFY

Preset Activation

Stable Lifecycle Contract

Related Rules

Why this matters ​

What triggers it ​

What does not trigger it ​

Example ​

Better ​