← Back to blog

Add prodlint to your AGENTS.md

·5 min read·prodlint

Your AI writes code. Who checks it?

AGENTS.md is a file you drop into your repo to tell AI coding agents how to work on your project. It's supported by Cursor, GitHub Copilot, OpenAI Codex, Windsurf, Cline, and Factory CLI. It's widely adopted across open-source repos. The idea is straightforward: if you tell the agent to run a linter after writing code, it should. And if the linter finds issues, the agent can try to fix them before showing you the result. That's a tight feedback loop with no human in the middle for the routine stuff. Here's how to add prodlint to that loop.

The AGENTS.md snippet

Add this to your AGENTS.md (or create one in your project root). The key is putting the command early in the file and making the instructions specific. Agents follow concrete commands better than vague advice.

AGENTS.md
# AGENTS.md

## After Writing or Modifying Code

Always run prodlint before committing:

```
npx prodlint --json
```

Fix all findings with `"severity": "critical"` before completing the task.
Re-run prodlint after fixing to verify no new issues were introduced.

If a finding is a false positive, suppress it:
```
// prodlint-disable-next-line <rule-id>
```

Why --json matters

The --json flag gives the agent structured output it can actually parse: file paths, line numbers, rule IDs, severity levels, fix hints. Without it, the agent gets a terminal output with color codes and formatting that it has to guess at. With JSON, the agent can loop through findings, filter by severity, and apply fixes methodically. For even quicker feedback, use --summary to get a pass/fail verdict with just the top 3 blockers.

Human-readable output: harder for agents to parse
npx prodlint

  prodlint v0.9.2
  Scanned 42 files · 1 critical · 4 warnings

  src/app/actions.ts
    4:1  WARN  Server action performs mutation without auth  server-action-auth
JSON output: agent can act on each finding
npx prodlint --json

{
  "findings": [
    {
      "ruleId": "server-action-auth",
      "file": "src/app/actions.ts",
      "line": 4,
      "severity": "warning",
      "message": "Server action performs mutation without auth check",
      "fix": "Add authentication check before database mutation"
    }
  ],
  "overallScore": 72,
  "summary": { "critical": 1, "warning": 4, "info": 1 }
}

Claude Code: use CLAUDE.md

Claude Code reads CLAUDE.md instead of AGENTS.md. Same idea, same format. If you want to support both Claude Code and other agents, you can keep both files or symlink one to the other. The instructions are identical.

CLAUDE.md
## Code Quality

After writing or modifying code, run:
```
npx prodlint --json
```
Fix all critical findings before committing.
Use `npx prodlint --summary` for quick pass/fail check.

Enforce it with a git hook

AGENTS.md instructions are advisory. The agent should follow them, but there's no guarantee. If you want mandatory enforcement, add a pre-commit hook. This catches cases where the agent (or a human) skips the check.

lefthook.yml
pre-commit:
  commands:
    prodlint:
      glob: "*.{js,ts,jsx,tsx}"
      run: npx prodlint --summary
      fail_text: "prodlint found critical issues. Run: npx prodlint"

New in prodlint: SARIF, baselines, and profiles

Three new features that make prodlint fit into agent and CI workflows better. SARIF output feeds directly into GitHub Code Scanning, so findings show up in the Security tab alongside CodeQL results. Baselines let you adopt prodlint on an existing codebase without drowning in pre-existing findings. Profiles give you quick presets instead of remembering flag combinations.

New CLI flags
# SARIF for GitHub Code Scanning
npx prodlint --sarif > prodlint.sarif

# Quick pass/fail verdict
npx prodlint --summary

# Only critical findings (move fast)
npx prodlint --profile startup

# Save baseline, then only report new findings
npx prodlint --baseline-save .prodlint-baseline.json
npx prodlint --baseline .prodlint-baseline.json

The full CI workflow

Here's everything together: prodlint in AGENTS.md so the coding agent checks itself, a git hook as a safety net, and SARIF upload to GitHub so findings are visible in the Security tab. The agent runs prodlint automatically. The git hook catches anything that slips through. GitHub Code Scanning gives you the dashboard. No human has to remember to run the linter.

.github/workflows/prodlint.yml
name: Prodlint
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: prodlint/prodlint@v1
        with:
          threshold: 50
      - run: npx prodlint --sarif > prodlint.sarif
      - uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: prodlint.sarif
          category: prodlint

Catch all of these automatically.

52 production readiness checks. Zero config.

GitHub·All 52 rules·GitHub Action