lintai docs

Appearance

Rule Reference

SEC390lintai-ai-securitypreviewmarkdownwarn

AI markdown: shared git push tool grant

AI-native markdown frontmatter grants `Bash(git push)` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Shared git push grants in AI-native frontmatter can be legitimate workflow policy, so the first release stays in the opt-in governance lane while usefulness and default posture are measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessmarkdownpreview
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessmarkdownpreview
SEC393AI markdown: shared git stash tool grantAI-native markdown frontmatter grants `Bash(git stash:*)` tool accessmarkdownpreview
SEC474AI markdown: shared gh pr tool grantAI-native markdown frontmatter grants `Bash(gh pr:*)` tool accessmarkdownpreview
SEC494AI markdown: shared npm exec tool grantAI-native markdown frontmatter grants `Bash(npm exec:*)` tool accessmarkdownpreview
SEC495AI markdown: shared bunx tool grantAI-native markdown frontmatter grants `Bash(bunx:*)` tool accessmarkdownpreview

SEC390 / MD-GIT-PUSH-PERMISSION

SEC390 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(git push).

Why It Matters

git push is a high-impact mutation step. Granting it directly in shared instruction frontmatter makes publication authority part of the default workflow instead of a narrower reviewed action.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. A shared skill may legitimately document a publish workflow, but repo-wide push authority still deserves explicit review instead of reading like a headline vulnerability finding.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(git push)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(git push origin main)
  • unrelated Git permissions like Bash(git status)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools: Bash(git push), Read
---

Safer Example

yaml
---
allowed-tools: Bash(git status), Read
---

How To Fix

Review whether shared Bash(git push) access is really needed, or replace it with a narrower workflow-specific permission that does not grant direct push authority by default.