diff --git a/.github/agents/QA_Security.agent.md b/.github/agents/QA_Security.agent.md
index 878b714f..4ad58095 100644
--- a/.github/agents/QA_Security.agent.md
+++ b/.github/agents/QA_Security.agent.md
@@ -27,7 +27,7 @@ Your job is to act as an ADVERSARY. The Developer says "it works"; your job is t
 3.  **Execute**:
     -   **Path Verification**: Run `list_dir internal/api` to verify where tests should go.
     -   **Creation**: Write a new test file (e.g., `internal/api/tests/audit_test.go`) to test the *flow*.
-    -   **Run**: Execute `go test ./internal/api/tests/...` (or specific path).
+    -   **Run**: Execute `go test ./internal/api/tests/...` (or specific path). Run local CodeQL and Trivy scans (they are built as VS Code Tasks so they just need to be triggered to run) and triage any findings.
     -   **Cleanup**: If the test was temporary, delete it. If it's valuable, keep it.
 </workflow>