lintai docs

Appearance

Rule Reference

SEC362lintai-ai-securitystableclaude_settingswarn

Claude settings: wildcard Bash permissions

Claude settings permissions allow `Bash(*)` in a shared committed config

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared Claude settings permissions for explicit wildcard `Bash(*)` grants.

Deterministic signal basis

ClaudeSettingsSignals exact string detection for `Bash(*)` inside permissions.allow on parsed Claude settings JSON.

Malicious corpus
claude-settings-bash-wildcard
Benign corpus
claude-settings-bash-specific-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC364Claude settings: bypassPermissions default modeClaude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed configclaude_settingsstable
SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configclaude_settingsstable
SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configclaude_settingsstable
SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configclaude_settingsstable
SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configclaude_settingsstable
SEC374Claude settings: wildcard WebSearch permissionsClaude settings permissions allow `WebSearch(*)` in a shared committed configclaude_settingsstable

Why It Matters

SEC362 flags committed Claude settings files when permissions.allow contains the exact wildcard shell grant Bash(*).

This is useful because:

  • shared .claude/settings.json files are often copied across teams and repos
  • Bash(*) grants unrestricted shell execution instead of a reviewed command allowlist
  • this makes the shared agent policy much broader than most teams intend

What Triggers

This rule applies only to committed Claude settings surfaces:

  • .claude/settings.json
  • claude/settings.json

It triggers when:

  • permissions.allow contains the exact string Bash(*)

It does not trigger on:

  • narrower reviewed patterns such as Bash(git status)
  • fixture-like test/example paths

Examples

Bad:

json
{
  "permissions": {
    "allow": ["Bash(*)", "Read(*)"]
  }
}

Better:

json
{
  "permissions": {
    "allow": ["Bash(git status)", "Bash(npm test:*)", "Read(*)"]
  }
}

Remediation

  • replace Bash(*) with specific reviewed command patterns
  • keep the shared allowlist as narrow as possible for the repo's actual workflows