lintai docs

Appearance

Rule Reference

SEC310lintai-ai-securitystablejsonwarn

Config: metadata or private-network host

Configuration endpoint targets a metadata or private-network host literal

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit metadata-service or private-network host literals in endpoint-like configuration values.

Deterministic signal basis

JsonSignals endpoint-host extraction over URL-like endpoint fields with metadata/private-host classification.

Malicious corpus
mcp-metadata-host-literal
Benign corpus
mcp-public-endpoint-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable

Why It Matters

Metadata-service and private-network host literals are high-signal indicators that a config is pointing at infrastructure-local or cloud-instance surfaces rather than an ordinary public service.

What Triggers

SEC310 applies to parsed JSON endpoint-like values and triggers when the host is a metadata or private-network literal.

Example that triggers:

json
{"url":"https://169.254.169.254/latest/meta-data"}

Example that stays clean:

json
{"url":"https://api.example.com/mcp"}

False Positives

This is a structural host-classification rule, not a prose heuristic. The main question is intent, not precision: sometimes the config is intentionally meant for local infrastructure access, but the signal remains review-worthy.

Remediation

Replace metadata or private-network host literals with a trusted public endpoint or a local stdio transport if the integration does not truly require infrastructure-local access.