lintai docs

Appearance

Rule Reference

SEC754lintai-ai-securitythreat-reviewsecuritystabledevcontainerwarn

Devcontainer: host-side initializeCommand

Devcontainer config defines a host-side initializeCommand

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
devcontainer
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed devcontainer configs for explicit host-side execution via non-empty `initializeCommand`, which runs on the local host before container startup.

Deterministic signal basis

DevcontainerSignals semantic JSON parsing plus exact value-span resolution for a non-empty top-level `initializeCommand` in `.devcontainer.json` or `.devcontainer/devcontainer.json`.

Malicious corpus
devcontainer-initialize-command-host
Benign corpus
devcontainer-no-initialize-command-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC755Devcontainer: sensitive local bind mountDevcontainer config bind-mounts sensitive local host materialthreat-reviewsecuritydevcontainer

Why It Matters

initializeCommand runs on the local host before the dev container starts. In a committed devcontainer.json, that turns repository config into a host-execution surface rather than just a container setup description.

SEC754 is positioned in the explicit threat-review lane because it describes direct host-side execution from committed repository config, not a softer supply-chain hygiene issue.

What Triggers

SEC754 matches .devcontainer.json and .devcontainer/devcontainer.json when they define a non-empty top-level initializeCommand.

False Positives

The rule is narrow and structural. It only checks the dedicated host-side lifecycle key and does not flag container-side lifecycle hooks such as postCreateCommand.

Remediation

Remove committed initializeCommand usage, or move setup into reviewed container build steps or container-side lifecycle hooks that do not execute on the local host.