lintai docs

Appearance

Rule Reference

SEC321lintai-ai-securitystableserver_jsonwarn

server.json remotes: literal auth header

server.json remotes header commits literal authentication material

Provider
lintai-ai-security
Surface
server_json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks remotes[].headers[] auth-like values for literal bearer/basic material or literal API key style values.

Deterministic signal basis

ServerJsonSignals inspects remotes[].headers[] auth-like names and value literals without looking at packages[].transport.

Malicious corpus
server-json-literal-auth-header
Benign corpus
server-json-auth-header-placeholder-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC319server.json remotes: insecure or private URLserver.json remotes entry uses an insecure or non-public remote URLserver_jsonstable
SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variableserver_jsonstable
SEC322server.json remotes: undefined header variableserver.json remotes header value references an undefined template variableserver_jsonstable
SEC323server.json auth: missing explicit secret flagserver.json auth header carries material without an explicit secret flagserver_jsonpreview

Why It Matters

Literal auth material inside server.json remote headers turns the registry artifact into a secret-bearing manifest. That is both a security problem and a portability problem for downstream consumers.

What Triggers

SEC321 applies to server.json remotes[].headers[] and triggers when an auth-like header carries literal bearer, basic, or API-key style material instead of a placeholder-backed variable.

Example that triggers:

json
{
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer sk_live_12345"
    }
  ]
}

Example that stays clean:

json
{
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer {TOKEN}",
      "variables": {
        "TOKEN": { "description": "API token", "isSecret": true }
      }
    }
  ]
}

False Positives

The rule is limited to auth-like header names and literal values. Dynamic placeholders stay clean, so this is not a blanket rule against authenticated remotes.

Remediation

Replace the literal auth header value with a placeholder-backed variable declared on the same header object.