lintai docs

Appearance

Rule Reference

SEC377lintai-ai-securitypreviewmarkdownwarn

Copilot instructions: invalid `applyTo` glob

Path-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob pattern

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

guidancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Invalid `applyTo` glob patterns on path-specific Copilot instruction files are deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitmarkdownpreview
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmattermarkdownpreview
SEC370Copilot instructions: wrong path-specific suffixPath-specific GitHub Copilot instruction markdown under `.github/instructions/` uses the wrong file suffixmarkdownpreview
SEC371Copilot instructions: invalid `applyTo` shapePath-specific GitHub Copilot instruction markdown has an invalid `applyTo` shapemarkdownpreview
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview

Why It Matters

SEC377 flags path-specific GitHub Copilot instruction files when applyTo is present with the right shape but contains an invalid glob pattern.

This is useful because:

  • Copilot path-specific instructions rely on applyTo to target files consistently
  • an invalid glob can look valid in review while silently failing to match the intended files
  • this stays a strict config-contract check with no prose heuristics

Trigger Shape

  • file path is .github/instructions/*.instructions.md
  • frontmatter parses successfully
  • applyTo is a string or list of strings
  • at least one applyTo pattern fails deterministic glob compilation

Clean Cases

  • applyTo: "**/*.rs"
  • applyTo: ["**/*.rs", "**/*.ts"]
  • fixture/test/example copies
  • files already caught by missing/invalid-shape rules instead

Example Trigger

md
---
applyTo: "[unclosed"
---

Safer Example

md
---
applyTo: "**/*.rs"
---

How To Fix

  • replace invalid applyTo patterns with valid globs
  • keep path-specific Copilot instructions on reviewed, testable file patterns