lintai docs

Appearance

Rule Reference

SEC628lintai-ai-securitystableclaude_settingswarn

Claude settings: bare Write permissions

Claude settings permissions allow bare `Write` in a shared committed config

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared Claude settings permissions for exact bare `Write` grants.

Deterministic signal basis

ClaudeSettingsSignals exact string detection for bare `Write` inside permissions.allow on parsed Claude settings JSON.

Malicious corpus
claude-settings-unscoped-tool-family
Benign corpus
claude-settings-unscoped-tool-family-specific-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configclaude_settingsstable
SEC364Claude settings: bypassPermissions default modeClaude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed configclaude_settingsstable
SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configclaude_settingsstable
SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configclaude_settingsstable
SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configclaude_settingsstable
SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configclaude_settingsstable

SEC628 / CLAUDE-WRITE

SEC628 flags shared committed Claude settings when permissions.allow contains the exact bare tool token Write.

Why It Matters

Bare Write grants unreviewed file mutation authority without narrowing writes to repository-scoped paths.

Trigger Shape

This rule matches parsed Claude settings JSON where permissions.allow contains the exact string Write.

How To Fix

Replace bare Write with a narrower reviewed permission pattern such as Write(./artifacts/**), or remove broad write access from the shared Claude settings file.