diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..ef10790
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,6 @@
+misconfigurations:
+  - id: KSV-0041
+    paths:
+      - deploy/clusterrole.yaml
+    expired_at: 2026-05-22
+    statement: Soteria copies restic credentials into target namespaces for backup Jobs; replace with a narrower per-namespace secret distribution model.
diff --git a/Jenkinsfile b/Jenkinsfile
index 7e247b8..5076764 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -119,7 +119,9 @@ spec:
             set +e
             sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
             sonar_rc=${PIPESTATUS[0]}
-            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
+            ignore_args=()
+            [ -f .trivyignore.yaml ] && ignore_args+=(--ignorefile .trivyignore.yaml)
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL "${ignore_args[@]}" .
             trivy_rc=$?
             set -e
             printf '%s\n' "${sonar_rc}" > build/sonarqube-analysis.rc
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index e8029d2..e2de8f0 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -18,6 +18,9 @@ spec:
         app.kubernetes.io/component: api
     spec:
       serviceAccountName: soteria
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: soteria
           image: registry.bstein.dev/infra/soteria:0.1.0
@@ -53,5 +56,7 @@ spec:
             allowPrivilegeEscalation: false
             runAsNonRoot: true
             runAsUser: 65532
+            runAsGroup: 65532
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]