diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d842735..94e9c91 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -169,4 +169,4 @@ jobs:
           git diff --cached --quiet && echo "No changes" && exit 0
           git commit -m "ci(uat): update auth image from cartsnitch/auth CI"
           git pull --rebase origin main
-          git push origin main
\ No newline at end of file
+          git push origin main
diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 0000000..b581f72
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,4 @@
+ignore:
+  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2026-4519