lintai docs

Appearance

Rule Reference

SEC391lintai-ai-securitypreviewmarkdownwarn

AI markdown: shared git checkout tool grant

AI-native markdown frontmatter grants `Bash(git checkout:*)` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Shared git checkout grants in AI-native frontmatter can be legitimate workflow policy, so the first release stays in the opt-in governance lane while usefulness and default posture are measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessmarkdownpreview
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessmarkdownpreview
SEC393AI markdown: shared git stash tool grantAI-native markdown frontmatter grants `Bash(git stash:*)` tool accessmarkdownpreview
SEC474AI markdown: shared gh pr tool grantAI-native markdown frontmatter grants `Bash(gh pr:*)` tool accessmarkdownpreview
SEC494AI markdown: shared npm exec tool grantAI-native markdown frontmatter grants `Bash(npm exec:*)` tool accessmarkdownpreview
SEC495AI markdown: shared bunx tool grantAI-native markdown frontmatter grants `Bash(bunx:*)` tool accessmarkdownpreview

SEC391 / MD-GIT-CHECKOUT-PERMISSION

SEC391 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(git checkout:*).

Why It Matters

Broad checkout authority can rewrite working state, switch branches, or detach review context. That is safer as a narrower reviewed workflow than as a shared default grant.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. Shared branch-switching permissions can be legitimate workflow design, but they still deserve explicit review as a policy choice instead of a headline security claim.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(git checkout:*)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(git checkout feature-branch)
  • unrelated Git permissions like Bash(git status)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools:
  - Bash(git checkout:*)
  - Read
---

Safer Example

yaml
---
allowed-tools:
  - Bash(git checkout feature-branch)
  - Read
---

How To Fix

Review whether shared Bash(git checkout:*) access is really needed, or replace it with a narrower workflow-specific permission that does not grant broad checkout authority by default.