lintai docs

Appearance

Rule Reference

SEC349lintai-ai-securitypreviewmarkdownwarn

AI markdown: privileged Docker pattern

AI-native markdown Docker example uses a host-escape or privileged runtime pattern

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Docker host-escape examples in markdown can be legitimate ops guidance, so the first release stays context-sensitive preview while domain-specific precision is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

Why It Matters

Privileged Docker examples in AI-native markdown are easy to copy into local execution without the surrounding caveats. Patterns like --privileged, host namespaces, or a docker.sock mount turn shared docs into operational guidance for container-to-host escape or host-level control.

Positioning

This is a context-sensitive preview rule. The detector points at real host-escape patterns, but infra debugging, security labs, and some ops runbooks may intentionally document them.

What Triggers

SEC349 applies only to AI-native markdown and triggers when a docker run example includes a host-escape or privileged runtime pattern such as:

  • --privileged
  • --network host
  • --pid host
  • --ipc host
  • bind mounts or mounts of /var/run/docker.sock

Examples that trigger:

text
docker run --privileged ghcr.io/acme/tool
docker run --network host ghcr.io/acme/tool
docker run -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/acme/tool

Examples that stay clean:

text
docker run qdrant/qdrant
docker run ghcr.io/acme/server@sha256:0123...

False Positives

This rule remains Preview because security-lab or infra-debugging docs may intentionally show these commands. The detector is still valuable because it identifies real host-escape patterns, but the surrounding context can be legitimate and should be reviewed before escalation.

Remediation

Prefer examples without privileged flags, host namespaces, or docker.sock mounts. If the risky pattern is intentionally documented for lab use, label it explicitly as a dangerous exception instead of presenting it as a normal setup step.