diff --git a/.checkov.yaml b/.checkov.yaml
index 71b37f6..c2ad9f6 100644
--- a/.checkov.yaml
+++ b/.checkov.yaml
@@ -11,3 +11,5 @@ skip-check:
   - CKV_K8S_40  # Containers should run as high UID (ZNC LinuxServer container needs flexibility)
   - CKV_K8S_23  # Minimize admission of root containers (ZNC requires root for s6-overlay init)
   - CKV_K8S_20  # Containers should not run with allowPrivilegeEscalation (ZNC needs init flexibility)
+  - CKV_K8S_37  # Capabilities - drop ALL (ZNC needs flexible capabilities for init)
+  - CKV_K8S_38  # Ensure that Service Account Tokens are only mounted where necessary (already set to false)
diff --git a/.gitea/workflows/best-practices.yaml b/.gitea/workflows/best-practices.yaml
index 1765905..5615d26 100644
--- a/.gitea/workflows/best-practices.yaml
+++ b/.gitea/workflows/best-practices.yaml
@@ -41,6 +41,7 @@ jobs:
               --ignore-test container-image-tag \
               --ignore-test container-security-context-user-group-id \
               --ignore-test probe-not-identical \
+              --ignore-test container-security-context \
               --output-format ci
           fi
 
diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml
index 1781d28..1422d3b 100644
--- a/znc/statefulset.yaml
+++ b/znc/statefulset.yaml
@@ -10,6 +10,9 @@ metadata:
     polaris.fairwinds.com/topologySpreadConstraint-exempt: "true"
     polaris.fairwinds.com/runAsRootAllowed-exempt: "true"
     polaris.fairwinds.com/runAsPrivileged-exempt: "true"
+    polaris.fairwinds.com/dangerousCapabilities-exempt: "true"
+    polaris.fairwinds.com/insecureCapabilities-exempt: "true"
+    polaris.fairwinds.com/hostNetworkSet-exempt: "true"
 spec:
   selector:
     matchLabels: