Rule Reference

SEC444lintai-ai-securitystablemarkdownwarn

AI markdown: `Bash(git apply:*)` tool grant

AI-native markdown frontmatter grants `Bash(git apply:*)` authority

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for wildcard git apply grants in shared allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for `Bash(git apply:*)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-git-apply-allowed-tools

Benign corpus

skill-git-apply-allowed-tools-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC444 / MD-GIT-APPLY-ALLOWED-TOOLS

SEC444 flags AI-native markdown frontmatter when allowed-tools grants the exact token Bash(git apply:*).

Why It Matters

Blanket git apply authority lets an agent apply arbitrary patch content by default. In shared AI instruction frontmatter, that is broader than most reviewed patch workflows should be.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token Bash(git apply:*)

Clean Cases

These stay clean:

more specific reviewed commands such as Bash(git apply fix.patch)
frontmatter that does not grant git apply
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - Bash(git apply:*)
  - Read
---

Safer Example

---
allowed-tools:
  - Bash(git apply fix.patch)
  - Read
---

How To Fix

Replace Bash(git apply:*) with a narrower reviewed command pattern, or remove broad patch-application authority from shared frontmatter entirely.

AI markdown: `Bash(git apply:*)` tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC444 / MD-GIT-APPLY-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​