Scan Size and Resource Limit Rules

Reports files, archives, or tensor metadata that exceed safe scanning and runtime thresholds.

Definition

The Size limits rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Large AI artifacts are normal, but unbounded scanning can exhaust CI runners and hide malicious content behind resource pressure.

Canonical help URL

Supported inputs

all scanned files
archives
model tensor metadata
directory scans

Typical attack scenarios

A model file is too large for full static inspection.
A tensor shape would allocate excessive memory at load time.
A repository contains enough nested files to slow CI until checks time out.

Detection logic

Sentinel ties Size limits evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read Size limits findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: SCAN-SIZE
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule SCAN-SIZE"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
SCAN-SIZE-MAX-FILE	INFO	File Exceeds Scan Size Policy	CWE-400	Tune max file size intentionally.
SCAN-SIZE-ARCHIVE-RATIO	MEDIUM	Archive Expansion Ratio Exceeds Policy	CWE-409	Limit decompression ratio.
SCAN-SIZE-TENSOR-DIMENSION	MEDIUM	Excessive Tensor Dimension	CWE-770	Reject tensor metadata that exceeds runtime budgets.

SCAN-SIZE-MAX-FILE — File Exceeds Scan Size Policy

INFO

Rule ID	SCAN-SIZE-MAX-FILE
Category	SCAN-SIZE
Severity	INFO
CWE	CWE-400
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Keep for inventory and context; do not treat as a vulnerability by itself.

Description

Reports artifacts larger than the configured full-scan threshold.

Why it matters

Large AI artifacts are normal, but unbounded scanning can exhaust CI runners and hide malicious content behind resource pressure.

When it fires

Sentinel fires this rule in the Size limits category when it sees file byte size exceeds max_file_size or scanner policy limit.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

File byte size exceeds max_file_size or scanner policy limit.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Keep for inventory and context; do not treat as a vulnerability by itself.
Evidence: File byte size exceeds max_file_size or scanner policy limit.
Closure: sentinel artifact ./models/ --rule SCAN-SIZE must return clean output.

How to fix

Use streaming scan mode, split large bundles, or attach a signed manifest with expected file sizes.

CLI

sentinel artifact ./models/ --rule SCAN-SIZE

Policy example

sentinel-policy.yml

rules:
  SCAN-SIZE-MAX-FILE:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SCAN-SIZE"

Expected output

SCAN-SIZE-MAX-FILE INFO
File Exceeds Scan Size Policy
Tune max file size intentionally.

Example

Bad

shape = [1024, 1024, 1024, 1024]
max_scan_bytes = "unlimited"

Good

max_file_size = "5GB"
max_archive_ratio = 100
max_tensor_elements = 2_000_000_000

Related rules

SCAN-SIZE-ARCHIVE-RATIO: Archive Expansion Ratio Exceeds Policy
SCAN-SIZE-TENSOR-DIMENSION: Excessive Tensor Dimension

SCAN-SIZE-ARCHIVE-RATIO — Archive Expansion Ratio Exceeds Policy

MEDIUM

Rule ID	SCAN-SIZE-ARCHIVE-RATIO
Category	SCAN-SIZE
Severity	MEDIUM
CWE	CWE-409
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Flags archives whose projected expansion ratio exceeds safe CI or runtime limits.

Why it matters

Large AI artifacts are normal, but unbounded scanning can exhaust CI runners and hide malicious content behind resource pressure.

When it fires

Sentinel fires this rule in the Size limits category when it sees compressed and uncompressed sizes imply a ratio above max_archive_ratio.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Compressed and uncompressed sizes imply a ratio above max_archive_ratio.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Compressed and uncompressed sizes imply a ratio above max_archive_ratio.
Closure: sentinel artifact ./models/ --rule SCAN-SIZE must return clean output.

How to fix

Require expected-size manifests and extract under quotas.

CLI

sentinel artifact ./models/ --rule SCAN-SIZE

Policy example

sentinel-policy.yml

rules:
  SCAN-SIZE-ARCHIVE-RATIO:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SCAN-SIZE"

Expected output

SCAN-SIZE-ARCHIVE-RATIO MEDIUM
Archive Expansion Ratio Exceeds Policy
Limit decompression ratio.

Example

Bad

shape = [1024, 1024, 1024, 1024]
max_scan_bytes = "unlimited"

Good

max_file_size = "5GB"
max_archive_ratio = 100
max_tensor_elements = 2_000_000_000

Related rules

SCAN-SIZE-MAX-FILE: File Exceeds Scan Size Policy
SCAN-SIZE-TENSOR-DIMENSION: Excessive Tensor Dimension

SCAN-SIZE-TENSOR-DIMENSION — Excessive Tensor Dimension

MEDIUM

Rule ID	SCAN-SIZE-TENSOR-DIMENSION
Category	SCAN-SIZE
Severity	MEDIUM
CWE	CWE-770
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Detects tensor shapes that imply unreasonable allocation size or overflow risk.

Why it matters

Large AI artifacts are normal, but unbounded scanning can exhaust CI runners and hide malicious content behind resource pressure.

When it fires

Sentinel fires this rule in the Size limits category when it sees product of tensor dimensions exceeds configured element or byte limits.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Product of tensor dimensions exceeds configured element or byte limits.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Product of tensor dimensions exceeds configured element or byte limits.
Closure: sentinel artifact ./models/ --rule SCAN-SIZE must return clean output.

How to fix

Validate model metadata and load the artifact only in resource-constrained environments.

CLI

sentinel artifact ./models/ --rule SCAN-SIZE

Policy example

sentinel-policy.yml

rules:
  SCAN-SIZE-TENSOR-DIMENSION:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SCAN-SIZE"

Expected output

SCAN-SIZE-TENSOR-DIMENSION MEDIUM
Excessive Tensor Dimension
Reject tensor metadata that exceeds runtime budgets.

Example

Bad

shape = [1024, 1024, 1024, 1024]
max_scan_bytes = "unlimited"

Good

max_file_size = "5GB"
max_archive_ratio = 100
max_tensor_elements = 2_000_000_000

Related rules

SCAN-SIZE-MAX-FILE: File Exceeds Scan Size Policy
SCAN-SIZE-ARCHIVE-RATIO: Archive Expansion Ratio Exceeds Policy

References

PreviousSecrets NextCLI Reference