lintai docs

Appearance

Rule Reference

SEC371lintai-ai-securitypreviewmarkdownwarn

Copilot instructions: invalid `applyTo` shape

Path-specific GitHub Copilot instruction markdown has an invalid `applyTo` shape

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

guidancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Invalid `applyTo` shape on path-specific Copilot instruction files is deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitmarkdownpreview
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmattermarkdownpreview
SEC370Copilot instructions: wrong path-specific suffixPath-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffixmarkdownpreview
SEC377Copilot instructions: invalid `applyTo` globPath-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob patternmarkdownpreview
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview

Why It Matters

Path-specific GitHub Copilot instruction files use applyTo to scope guidance to file patterns. If applyTo is empty or malformed, the file can look valid in review while silently failing to target the intended files.

What Triggers

SEC371 applies only to path-specific GitHub Copilot instruction files:

  • .github/instructions/*.instructions.md

It triggers when applyTo exists but is not one of:

  • a non-empty string
  • a non-empty sequence of non-empty strings

Examples that trigger:

  • applyTo: ""
  • applyTo: []
  • applyTo: [123]
  • applyTo: ["**/*.rs", ""]

Examples that stay clean:

  • applyTo: "**/*.rs"
  • applyTo: ["**/*.rs", "**/*.ts"]
  • fixture-like paths such as tests/fixtures/.github/instructions/review.instructions.md

False Positives

This rule stays Preview because some repositories may still be migrating older layouts. The signal is deterministic and structural, but the first release remains guidance-only until broader ecosystem usefulness is measured.

Remediation

  • set applyTo to a non-empty string glob, or
  • set applyTo to a non-empty YAML sequence of non-empty glob strings