lintai docs

Appearance

Rule Reference

SEC304lintai-ai-securitystablejsonwarn

Config: TLS verification disabled

Configuration disables TLS or certificate verification

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit TLS or certificate verification disable flags in configuration.

Deterministic signal basis

JsonSignals boolean and key observation for trust-verification disable settings.

Malicious corpus
mcp-trust-verification-disabled
Benign corpus
mcp-trust-verified-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable
SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literaljsonstable

Why It Matters

Disabling TLS or certificate verification in config weakens trust boundaries for every connection that uses that transport. In committed config this is usually a durable unsafe default, not a one-off debug flag.

What Triggers

SEC304 applies to parsed JSON configuration and triggers on explicit trust-disable settings such as:

  • verifyTLS: false
  • insecureSkipVerify: true

Examples that trigger:

json
{"client":{"url":"https://internal.test","verifyTLS":false}}
{"transport":{"insecureSkipVerify":true}}

Example that stays clean:

json
{"client":{"url":"https://internal.test","verifyTLS":true}}

False Positives

The rule is structural and limited to known verification-disable keys. It is a good fit for shipped configs because the signal is explicit even when the environment is internal.

Remediation

Re-enable certificate verification and use trusted HTTPS or local stdio transport. There is no automatic fix because the correct replacement depends on how the client should connect.