lintai docs

Appearance

Rule Reference

SEC348lintai-ai-securitypreviewmarkdownwarn

AI markdown: mutable Docker image

AI-native markdown Docker example uses a mutable registry image

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Mutable Docker image examples in markdown can be legitimate setup guidance, so the first release stays context-sensitive preview rather than a stronger default posture.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

Why It Matters

SEC348 flags AI-native markdown that recommends docker run against a mutable registry image instead of a digest-pinned image.

These examples are common in setup docs, but they weaken reproducibility:

  • the same command can pull different content over time
  • reviewers cannot tell which image digest the docs actually endorsed
  • community users often copy-paste these examples directly into local automation

Positioning

This is a context-sensitive preview rule. The detector is structural and useful, but many real setup docs deliberately trade reproducibility for simplicity, so the finding should be reviewed as hardening guidance rather than treated as a universal badness signal.

What Triggers

SEC348 applies only to AI-native markdown and triggers when:

  • the region contains a literal docker run
  • the image token looks like a public or registry image
  • the image is not pinned with @sha256:...

Examples that trigger:

text
docker run -p 6333:6333 qdrant/qdrant
docker run -p 6006:6006 arizephoenix/phoenix:latest
docker run -t owasp/zap2docker-stable zap-full-scan.py

Examples that stay clean:

text
docker run ghcr.io/acme/server@sha256:0123...
docker run my-app:latest

my-app:latest stays clean because it looks like a local image name, not clearly a registry-distributed dependency.

False Positives

This rule stays Preview because many docs intentionally optimize for simplicity over reproducibility. The finding is still useful as guidance, but it should not yet be read as proof of a dangerous runtime configuration.

Remediation

The cleanest remediation is to publish examples with digest-pinned images:

text
docker run ghcr.io/acme/server@sha256:0123...

If a digest-pinned example is not practical, add explicit reproducibility guidance so users understand the tradeoff and do not assume the example is stable forever.