lintai docs

Appearance

Preset Reference

membership18 direct rules

supply-chain

Sidecar supply-chain hardening rules, including GitHub Actions workflow checks.

Membership preset: directly activates this rule set.

Coverage

Covered Rules

SEC324GitHub Actions: unpinned third-party actionGitHub Actions workflow uses a third-party action that is not pinned to a full commit SHAstablegithub_workflow
SEC325GitHub Actions: untrusted expression in runGitHub Actions workflow interpolates untrusted expression data directly inside a run commandpreviewgithub_workflow
SEC326GitHub Actions: pull_request_target checkoutGitHub Actions pull_request_target workflow checks out untrusted pull request head contentstablegithub_workflow
SEC327GitHub Actions: write-all tokenGitHub Actions workflow grants GITHUB_TOKEN write-all permissionsstablegithub_workflow
SEC328GitHub Actions: write-capable third-party actionGitHub Actions workflow combines explicit write-capable permissions with a third-party actionpreviewgithub_workflow
SEC743package.json: dangerous lifecycle scriptpackage.json defines a dangerous install-time lifecycle scriptstablejson
SEC744package.json: git or forge dependency sourcepackage.json installs a dependency from a git or forge shortcut sourcestablejson
SEC745package.json: unbounded dependency versionpackage.json uses an unbounded dependency version like * or lateststablejson
SEC746Dockerfile: remote script execution in RUNDockerfile RUN downloads remote code and executes itstabledockerfile
SEC747Dockerfile: final stage runs as rootDockerfile final stage explicitly runs as rootstabledockerfile
SEC748Docker Compose: privileged service runtimeDocker Compose service enables privileged container runtime or host namespace accessstabledocker-compose
SEC749Dockerfile: mutable registry image in FROMDockerfile FROM uses a mutable registry image without a digest pinstabledockerfile
SEC750Docker Compose: mutable service imageDocker Compose service image uses a mutable registry reference without a digest pinstabledocker-compose
SEC751Dockerfile: latest or implicit-latest base image tagDockerfile FROM uses a latest or implicit-latest image tagstabledockerfile
SEC752Docker Compose: latest or implicit-latest service image tagDocker Compose service image uses a latest or implicit-latest tagstabledocker-compose
SEC753package.json: direct archive URL dependency sourcepackage.json installs a dependency from a direct archive URL sourcestablejson
SEC754Devcontainer: host-side initializeCommandDevcontainer config defines a host-side initializeCommandstabledevcontainer
SEC755Devcontainer: sensitive local bind mountDevcontainer config bind-mounts sensitive local host materialstabledevcontainer

What This Preset Enables

The supply-chain preset enables sidecar hardening rules around workflow and release-chain surfaces such as GitHub Actions.

When To Use It

Use it when you want broader repository hardening beyond the core agent-artifact surfaces.

Tradeoffs

This lane is useful, but intentionally separate from the quiet recommended default so most teams can start with a calmer first pass.