lintai docs

Appearance

Rule Reference

SEC323lintai-ai-securitypreviewserver_jsonwarn

server.json auth: missing explicit secret flag

server.json auth header carries material without an explicit secret flag

Provider
lintai-ai-security
Surface
server_json
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
mcpmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Secret policy expectations can vary across registry producers, so the first release keeps this as a context-sensitive preview review signal.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC319server.json remotes: insecure or private URLserver.json remotes entry uses an insecure or non-public remote URLserver_jsonstable
SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variableserver_jsonstable
SEC321server.json remotes: literal auth headerserver.json remotes header commits literal authentication materialserver_jsonstable
SEC322server.json remotes: undefined header variableserver.json remotes header value references an undefined template variableserver_jsonstable

Why It Matters

SEC323 flags server.json auth-carrying header entries that use a value or variables without an explicit isSecret or is_secret marker.

This is not a literal-secret detector. It is a policy-shape rule for server registry entries: when an auth header carries credential material, the manifest should mark that fact explicitly so downstream tooling can treat it as secret-bearing config.

What Triggers

SEC323 applies to server.json remotes header entries and triggers when:

  • the header looks auth-like, such as Authorization or x-api-key
  • the header carries value or variable-backed material
  • and the same header object does not explicitly set isSecret or is_secret to true

Example that triggers:

json
{
  "headers": [
    {
      "name": "x-api-key",
      "value": "{API_KEY}",
      "variables": {
        "API_KEY": { "description": "API key" }
      }
    }
  ]
}

Example that stays clean:

json
{
  "headers": [
    {
      "name": "x-api-key",
      "value": "{API_KEY}",
      "variables": {
        "API_KEY": { "description": "API key" }
      },
      "isSecret": true
    }
  ]
}

False Positives

This rule stays Preview because secret-policy expectations can vary across registry producers. The finding is useful as a consistency and secret-handling signal, but it is not equivalent to proving that a literal credential was committed.

Remediation

Mark auth-carrying header entries with isSecret: true or is_secret: true when they carry value or variable-backed credential material.