diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index ce803fc0..67833dfe 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -8,6 +8,18 @@ container {
   secrets {
     all = true
   }
+
+  # Triage items that are _safe_ to ignore here. Note that this list should be
+  # periodically cleaned up to remove items that are no longer found by the scanner.
+  triage {
+    suppress {
+      vulnerabilities = [
+        "GHSA-rx97-6c62-55mf", // https://github.com/github/advisory-database/pull/5759 TODO(dduzgun): remove when dep updated.
+        "CVE-2025-46394",      // busybox@1.37.0-r18 TODO(dduzgun): remove when dep updated.
+        "CVE-2024-58251",      // busybox@1.37.0-r18 TODO(dduzgun): remove when dep updated.
+      ]
+    }
+  }
 }
 
 binary {