diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 897e256..060ab1a 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -57,6 +57,7 @@ Destination must complete before source to avoid missing ARN references.
 - Never downgrade vault lock or remove protection flags.
 - Highlight irreversible actions (compliance mode enable) before performing.
 - Keep IAM actions minimal; wildcard resources only when service requires it. Document any `resources = ["*"]` with justification comment.
+- Trivy is currently vulnerable. DO NOT run trivy
 
 ## Documentation & Comment Policy