Rule Reference

SEC473lintai-ai-securitysupply-chainhardeningstablemarkdownwarn

AI markdown: git inline sslVerify false

AI-native markdown disables Git TLS verification with `git -c http.sslVerify=false`

Public lane: supply-chain
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: markdown
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown for exact `git -c` examples that disable Git TLS verification inline through `http.sslVerify=false`.

Deterministic signal basis

MarkdownSignals exact `git -c http.sslVerify=false` token analysis inside parsed markdown regions, excluding safety-warning phrasing.

Malicious corpus

skill-git-inline-sslverify-false

Benign corpus

skill-git-inline-sslverify-true-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcesupply-chainhardeningmarkdown

SEC448AI markdown: pip trusted-hostAI-native markdown installs Python packages with `--trusted-host`supply-chainhardeningmarkdown

SEC449AI markdown: pip http indexAI-native markdown installs Python packages from an insecure `http://` package indexsupply-chainhardeningmarkdown

SEC450AI markdown: npm http registryAI-native markdown installs JavaScript packages from an insecure `http://` registrysupply-chainhardeningmarkdown

SEC451AI markdown: cargo http git installAI-native markdown installs Rust packages from an insecure `http://` git sourcesupply-chainhardeningmarkdown

SEC452AI markdown: cargo http indexAI-native markdown installs Rust packages from an insecure `http://` indexsupply-chainhardeningmarkdown

SEC473 flags AI-native markdown when an exact Git command example disables transport verification inline through git -c http.sslVerify=false ....

Why this matters

Inline http.sslVerify=false disables normal TLS verification for that Git command. In shared AI-native instructions, that turns a risky trust-bypass workaround into copy-pastable setup guidance.

What triggers it

a parsed markdown region contains the exact token git -c http.sslVerify=false

The finding points to the -c http.sslVerify=false token.

What does not trigger it

git -c http.sslVerify=true ...
safety guidance such as Do not use git -c http.sslVerify=false ...
unrelated prose that mentions Git without the exact inline config form

Example

bash

git -c http.sslVerify=false clone https://github.com/acme/demo.git

Better

bash

git clone https://github.com/acme/demo.git

Remediation

Remove inline http.sslVerify=false and keep Git transport verification enabled instead of teaching a shared TLS-bypass workflow.

AI markdown: git inline sslVerify false

Preset Activation

Stable Lifecycle Contract

Related Rules

Why this matters ​

What triggers it ​

What does not trigger it ​

Example ​

Better ​