# AGENTS.md instructions for Semgrep CLI for static analysis and policy checks

Use Semgrep CLI for static analysis and policy checks only for: Run code pattern checks and policy scans with JSON or SARIF output that agents can summarize.

## Default behavior

- Prefer non-interactive commands and stable output formats: json, sarif, text.
- Start with read-only inspection commands before changing state.
- Show the exact command before destructive or deployment actions.
- Require explicit user approval for commands marked `requires-review` or `destructive`.

## Useful commands

- safe: `semgrep scan --config auto --json --output semgrep.json` — Creates a JSON report of code findings.
- safe: `semgrep scan --config .semgrep/ --sarif --output semgrep.sarif` — Runs repository-specific rules.
- requires-review: `${EDITOR:-vi} .semgrep/` — Rule changes can suppress findings and require review.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.