lintai docs

Appearance

Rule Reference

SEC754lintai-ai-securitystabledevcontainerwarn

Devcontainer: host-side initializeCommand

Devcontainer config defines a host-side initializeCommand

Provider
lintai-ai-security
Surface
devcontainer
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed devcontainer configs for non-empty `initializeCommand`, which executes on the local host before container startup.

Deterministic signal basis

DevcontainerSignals semantic JSON parsing plus exact value-span resolution for a non-empty top-level `initializeCommand` in `.devcontainer.json` or `.devcontainer/devcontainer.json`.

Malicious corpus
devcontainer-initialize-command-host
Benign corpus
devcontainer-no-initialize-command-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC755Devcontainer: sensitive local bind mountDevcontainer config bind-mounts sensitive local host materialdevcontainerstable

Why It Matters

initializeCommand runs on the local host before the dev container starts. In a committed devcontainer.json, that turns repository config into a host-execution surface rather than just a container setup description.

What Triggers

SEC754 matches .devcontainer.json and .devcontainer/devcontainer.json when they define a non-empty top-level initializeCommand.

False Positives

The rule is narrow and structural. It only checks the dedicated host-side lifecycle key and does not flag container-side lifecycle hooks such as postCreateCommand.

Remediation

Remove committed initializeCommand usage, or move setup into reviewed container build steps or container-side lifecycle hooks that do not execute on the local host.