lintai docs

Appearance

Rule Reference

SEC474lintai-ai-securitygovernancehardeningpreviewmarkdownwarn

AI markdown: shared gh pr tool grant

AI-native markdown frontmatter grants `Bash(gh pr:*)` tool access

Public lane
governance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native markdown frontmatter for exact GitHub pull-request authority through `allowed-tools`.

Deterministic signal basis

MarkdownSignals exact frontmatter string detection for `Bash(gh pr:*)` in allowed-tools entries.

Malicious corpus
skill-gh-pr-allowed-tools
Benign corpus
skill-gh-pr-allowed-tools-specific-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC389AI markdown: bare WebSearch tool grantAI-native markdown frontmatter grants bare `WebSearch` tool accessgovernancehardeningmarkdown
SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessgovernancehardeningmarkdown
SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessgovernancehardeningmarkdown
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessgovernancehardeningmarkdown
SEC393AI markdown: shared git stash tool grantAI-native markdown frontmatter grants `Bash(git stash:*)` tool accessgovernancehardeningmarkdown
SEC404AI markdown: bare WebFetch tool grantAI-native markdown frontmatter grants bare `WebFetch` tool accessgovernancehardeningmarkdown

SEC474 / MD-GH-PR-PERMISSION

SEC474 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(gh pr:*).

Why It Matters

gh pr:* bundles broad pull-request operations behind one shared permission token. Granting it directly in shared instruction frontmatter makes remote PR authority part of the default workflow instead of a narrower reviewed action.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. A shared skill may legitimately document a PR workflow, but repo-wide gh pr authority still deserves explicit review instead of reading like a headline vulnerability finding.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(gh pr:*)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(gh pr diff:*)
  • unrelated GitHub CLI permissions like Bash(gh repo view)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools: Bash(gh pr:*), Read
---

Safer Example

yaml
---
allowed-tools: Bash(gh pr diff:*), Read
---

How To Fix

Review whether shared Bash(gh pr:*) access is really needed, or replace it with a narrower workflow-specific permission that does not grant blanket pull-request authority by default.