diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 00000000..b1803154
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,4 @@
+vulnerabilities:
+  - id: CVE-2026-26996
+    statement: downstream dependency for minimatch
+    expired_at: 2026-04-01
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 00000000..eb243375
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1 @@
+ignorefile: ".trivyignore.yaml"