Rule Reference

SEC472lintai-ai-securitystablemarkdownwarn

AI markdown: GIT_SSL_NO_VERIFY

AI-native markdown disables Git TLS verification with `GIT_SSL_NO_VERIFY`

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown for exact Git command examples that disable TLS verification through `GIT_SSL_NO_VERIFY`.

Deterministic signal basis

MarkdownSignals exact `GIT_SSL_NO_VERIFY=1` or `GIT_SSL_NO_VERIFY=true` token analysis when a Git command appears in the same parsed markdown region, excluding safety-warning phrasing.

Malicious corpus

skill-git-ssl-no-verify

Benign corpus

skill-git-ssl-no-verify-disabled-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC472 flags AI-native markdown when an exact Git command example disables transport verification through GIT_SSL_NO_VERIFY=1 or GIT_SSL_NO_VERIFY=true.

Why this matters

GIT_SSL_NO_VERIFY disables normal TLS verification for Git HTTP transport. In shared AI-native instructions, that turns a risky trust-bypass workaround into copy-pastable setup guidance.

What triggers it

a parsed markdown region contains:
- GIT_SSL_NO_VERIFY=1
- or GIT_SSL_NO_VERIFY=true
and the same region also contains a Git command

The finding points to the GIT_SSL_NO_VERIFY token.

What does not trigger it

GIT_SSL_NO_VERIFY=0 git ...
safety guidance such as Avoid GIT_SSL_NO_VERIFY=1 git clone ...
unrelated prose that mentions the variable without a Git command

Example

bash

GIT_SSL_NO_VERIFY=1 git clone https://github.com/acme/demo.git

Better

bash

git clone https://github.com/acme/demo.git

Remediation

Remove GIT_SSL_NO_VERIFY and keep Git transport verification enabled instead of teaching a shared TLS-bypass workflow.

AI markdown: GIT_SSL_NO_VERIFY

Preset Membership

Stable Lifecycle Contract

Related Rules

Why this matters ​

What triggers it ​

What does not trigger it ​

Example ​

Better ​