lintai docs

Appearance

Rule Reference

SEC353lintai-ai-securitypreviewmarkdownwarn

Copilot instructions: exceeds 4000 chars

GitHub Copilot instruction markdown exceeds the 4000-character guidance limit

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

guidancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Long Copilot instruction files can still be intentional, so the first release stays guidance-only while usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmattermarkdownpreview
SEC370Copilot instructions: wrong path-specific suffixPath-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffixmarkdownpreview
SEC371Copilot instructions: invalid `applyTo` shapePath-specific GitHub Copilot instruction markdown has an invalid `applyTo` shapemarkdownpreview
SEC377Copilot instructions: invalid `applyTo` globPath-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob patternmarkdownpreview
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview

Why It Matters

GitHub Copilot repository and path-specific instruction files are easier to reason about when they stay short and focused. Once instruction markdown grows past the documented 4000-character guidance limit, part of the intended behavior can become easier to ignore, harder to review, and less portable across review-oriented Copilot workflows.

What Triggers

SEC353 applies only to GitHub Copilot instruction paths:

  • .github/copilot-instructions.md
  • .github/instructions/*.instructions.md

It triggers when the file content exceeds 4000 characters.

Examples that trigger:

  • a repository-level .github/copilot-instructions.md packed with multi-page guidance
  • a path-specific .github/instructions/review.instructions.md that grows beyond the same limit

Examples that stay clean:

  • short repository-level Copilot instructions
  • path-specific instruction files that stay within the limit
  • fixture-like paths such as tests/fixtures/.github/copilot-instructions.md

False Positives

This rule stays Preview because some projects may intentionally keep large instruction files while they evaluate how much Copilot actually consumes in their workflows. The rule is guidance about reviewability and effective application, not a claim that every long file is broken.

Remediation

Split long Copilot guidance into:

  • a shorter shared .github/copilot-instructions.md
  • narrower .github/instructions/*.instructions.md files for path-specific behavior

Prefer small, focused instruction files over one large catch-all document.