security/plugin/scans.md +9 −4
40 40
41</WorkflowSteps>41</WorkflowSteps>
42 42
4343Repository-specific guidance in `AGENTS.md` can also establish the productFor persistent repository security guidance, add a `SECURITY.md` at the
4444surfaces, trust boundaries, supported validation commands, and out-of-scoperepository root. Use it to describe the threat model, security invariants,
4545areas. Prefer concrete repository context over a generic planning step beforereportable finding criteria, exclusions, and severity context. For
4646the scan.directory-specific guidance, add nested `SECURITY.md` files. When policies
47conflict, the file closest to the code takes precedence. Codex Security treats
48this content as policy context, not executable instructions.
49
50Use `AGENTS.md` for supported build and validation commands and other
51repository-specific instructions.
47 52
48## Let the phases complete53## Let the phases complete
49 54