lintai docs

Appearance

Rule Reference

SEC370lintai-ai-securitypreviewmarkdownwarn

Copilot instructions: wrong path-specific suffix

Path-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffix

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

guidancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Wrong suffix on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitmarkdownpreview
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmattermarkdownpreview
SEC371Copilot instructions: invalid `applyTo` shapePath-specific GitHub Copilot instruction markdown has an invalid `applyTo` shapemarkdownpreview
SEC377Copilot instructions: invalid `applyTo` globPath-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob patternmarkdownpreview
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview

Why It Matters

Path-specific GitHub Copilot instruction files under .github/instructions/ need the .instructions.md suffix to participate in the expected layout contract. A plain .md filename can look correct in review but silently miss the intended path-specific behavior.

What Triggers

SEC370 applies only to path-specific GitHub Copilot instruction markdown under:

  • .github/instructions/*.md

It triggers when:

  • the file is under .github/instructions/
  • the file ends with .md
  • the file does not end with .instructions.md

Examples that trigger:

  • .github/instructions/review.md
  • .github/instructions/security-guidelines.md

Examples that stay clean:

  • .github/instructions/review.instructions.md
  • .github/copilot-instructions.md
  • fixture-like paths such as tests/fixtures/.github/instructions/review.md

False Positives

This rule stays Preview because some repositories may still be migrating older layouts. The signal is deterministic and structural, but the first release remains guidance-only until broader ecosystem usefulness is measured.

Remediation

  • rename path-specific Copilot instruction files to *.instructions.md
  • keep repository-wide Copilot guidance in .github/copilot-instructions.md