lintai docs

Appearance

Rule Reference

SEC364lintai-ai-securitystableclaude_settingswarn

Claude settings: bypassPermissions default mode

Claude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed config

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared Claude settings for explicit `permissions.defaultMode = bypassPermissions`.

Deterministic signal basis

ClaudeSettingsSignals exact string detection for `permissions.defaultMode = bypassPermissions` on parsed Claude settings JSON.

Malicious corpus
claude-settings-bypass-permissions
Benign corpus
claude-settings-bypass-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configclaude_settingsstable
SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configclaude_settingsstable
SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configclaude_settingsstable
SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configclaude_settingsstable
SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configclaude_settingsstable
SEC374Claude settings: wildcard WebSearch permissionsClaude settings permissions allow `WebSearch(*)` in a shared committed configclaude_settingsstable

Why It Matters

SEC364 flags committed Claude settings that set permissions.defaultMode to bypassPermissions.

This is useful because:

  • shared Claude settings in git are team-facing policy, not a one-off local override
  • bypassPermissions weakens the review boundary for tool execution in a way that is hard to notice later
  • narrower shared permission modes with explicit allowlists are easier for teams to audit and trust

What Triggers

This rule applies only to committed Claude settings surfaces:

  • .claude/settings.json
  • claude/settings.json

It triggers only on the exact structural shape:

  • permissions.defaultMode = "bypassPermissions"

It does not trigger on:

  • other defaultMode values
  • settings files under fixture-like test/example paths
  • prose or markdown references outside real Claude settings JSON

Examples

Bad:

json
{
  "permissions": {
    "defaultMode": "bypassPermissions",
    "allow": ["Read", "Write"]
  }
}

Better:

json
{
  "permissions": {
    "defaultMode": "default",
    "allow": ["Read", "Write"]
  }
}

Remediation

  • replace bypassPermissions with a narrower shared permissions mode
  • keep broad grants behind explicit reviewed allowlists instead of a global bypass default
  • treat committed Claude settings as team policy, not as a personal local convenience file