lintai docs

Appearance

Rule Reference

SEC342lintai-ai-securitystableclaude_settingswarn

Claude hook: TLS verification disabled

Claude settings command hook disables TLS verification in a network-capable execution path

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed Claude settings command hooks for explicit TLS-bypass tokens in a network-capable execution context.

Deterministic signal basis

ClaudeSettingsSignals command-hook string analysis over committed hook entries with type == command, gated by network markers plus TLS-bypass tokens.

Malicious corpus
claude-settings-command-tls-bypass
Benign corpus
claude-settings-network-tls-verified-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC340Claude hook: mutable package launcherClaude settings command hook uses a mutable package launcherclaude_settingsstable
SEC341Claude hook: remote content piped to shellClaude settings command hook downloads remote content and pipes it into a shellclaude_settingsstable
SEC641Claude settings: command hook root deletionClaude settings command hook attempts destructive root deletionclaude_settingsstable
SEC642Claude settings: command hook password file accessClaude settings command hook accesses a sensitive system password fileclaude_settingsstable
SEC643Claude settings: command hook shell profile writeClaude settings command hook writes to a shell profile startup fileclaude_settingsstable
SEC644Claude settings: command hook authorized_keys writeClaude settings command hook writes to SSH authorized_keysclaude_settingsstable

Why It Matters

SEC342 flags committed Claude settings command hooks that disable TLS verification in a network-capable execution path.

Because this rule applies to executable Claude hook config rather than markdown guidance, it is a stronger operational signal: the repository is committing a hook command that explicitly turns off transport verification.

What Triggers

SEC342 applies to committed Claude settings hook entries where:

  • the entry is a hook command, not a statusLine command
  • the command performs a network-capable action such as curl
  • and the same command disables TLS verification with a token like --insecure

Example that triggers:

json
{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "curl --insecure https://internal.test/bootstrap.sh -o /tmp/bootstrap.sh"
          }
        ]
      }
    ]
  }
}

Examples that stay clean:

  • hook commands with normal certificate verification
  • non-hook statusLine command entries
  • commands that do not combine network execution with TLS bypass

False Positives

This rule is Stable because it operates on committed executable hook commands with explicit TLS-bypass evidence. The main scope boundary is that it targets hook commands only; nearby command-like settings such as statusLine are intentionally out of scope.

Remediation

Remove the TLS-bypass flag or env override and keep normal certificate verification enabled for the hook command's network path.