# AGENTS.md instructions for 用于依赖、容器、IaC 和 SBOM 扫描的 Trivy

Use 用于依赖、容器、IaC 和 SBOM 扫描的 Trivy only for: 扫描代码、容器、依赖、Kubernetes 配置和 SBOM，并输出机器可读报告。

## Default behavior

- Prefer non-interactive commands and stable output formats: json, sarif, table.
- Start with read-only inspection commands before changing state.
- Show the exact command before destructive or deployment actions.
- Require explicit user approval for commands marked `requires-review` or `destructive`.

## Useful commands

- safe: `trivy fs --format json --output trivy.json .` — Scans dependencies and IaC files and writes JSON output.
- safe: `trivy image --format json --output image-scan.json node:22` — Scans a container image for vulnerabilities.
- requires-review: `npm update && npm audit fix` — Remediation changes dependencies and should require review.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.