lintai docs

Appearance

Rule Reference

SEC354lintai-ai-securitypreviewmarkdownwarn

Copilot instructions: missing `applyTo`

Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatter

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

guidancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Missing `applyTo` on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while external usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitmarkdownpreview
SEC370Copilot instructions: wrong path-specific suffixPath-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffixmarkdownpreview
SEC371Copilot instructions: invalid `applyTo` shapePath-specific GitHub Copilot instruction markdown has an invalid `applyTo` shapemarkdownpreview
SEC377Copilot instructions: invalid `applyTo` globPath-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob patternmarkdownpreview
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview

Why It Matters

Path-specific GitHub Copilot instruction files under .github/instructions/ are meant to scope behavior to a file pattern. Without applyTo, the document is harder to reason about and can silently fail to target the files the author intended.

What Triggers

SEC354 applies only to path-specific GitHub Copilot instruction files:

  • .github/instructions/*.instructions.md

It triggers when:

  • the file has no frontmatter at all, or
  • the frontmatter parses successfully but does not contain applyTo

Examples that trigger:

  • .github/instructions/review.instructions.md with no frontmatter
  • a path-specific instruction file with frontmatter like title: Review but no applyTo

Examples that stay clean:

  • frontmatter with applyTo: "**/*.rs"
  • fixture-like paths such as tests/fixtures/.github/instructions/review.instructions.md
  • files with invalid YAML frontmatter, which stay outside this rule to avoid mixing parse recovery with applyTo policy

False Positives

This rule stays Preview because some repos may still be migrating older instruction layouts. The rule is about deterministic Copilot configuration quality, not a claim that the repository is insecure by itself.

Remediation

Add explicit applyTo frontmatter to each path-specific instruction file, for example:

yaml
---
applyTo: "**/*.rs"
---

If the content is meant to be repository-wide instead of path-specific, move it into .github/copilot-instructions.md.