# AGENTS.md instructions for 用于静态分析和策略检查的 Semgrep CLI

Use 用于静态分析和策略检查的 Semgrep CLI only for: 运行代码模式检查和策略扫描，并输出 Agent 可总结的 JSON 或 SARIF 报告。

## Default behavior

- Prefer non-interactive commands and stable output formats: json, sarif, text.
- Start with read-only inspection commands before changing state.
- Show the exact command before destructive or deployment actions.
- Require explicit user approval for commands marked `requires-review` or `destructive`.

## Useful commands

- safe: `semgrep scan --config auto --json --output semgrep.json` — Creates a JSON report of code findings.
- safe: `semgrep scan --config .semgrep/ --sarif --output semgrep.sarif` — Runs repository-specific rules.
- requires-review: `${EDITOR:-vi} .semgrep/` — Rule changes can suppress findings and require review.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.