# AGENTS.md instructions for Trivy for dependency, container, IaC, and SBOM scanning

Use Trivy for dependency, container, IaC, and SBOM scanning only for: Scan code, containers, dependencies, Kubernetes manifests, and SBOMs with machine-readable reports.

## Default behavior

- Prefer non-interactive commands and stable output formats: json, sarif, table.
- Start with read-only inspection commands before changing state.
- Show the exact command before destructive or deployment actions.
- Require explicit user approval for commands marked `requires-review` or `destructive`.

## Useful commands

- safe: `trivy fs --format json --output trivy.json .` — Scans dependencies and IaC files and writes JSON output.
- safe: `trivy image --format json --output image-scan.json node:22` — Scans a container image for vulnerabilities.
- requires-review: `npm update && npm audit fix` — Remediation changes dependencies and should require review.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.