diff --git a/.gitea/workflows/homelab-main.yml b/.gitea/workflows/homelab-main.yml
index 49a2c57..046603d 100644
--- a/.gitea/workflows/homelab-main.yml
+++ b/.gitea/workflows/homelab-main.yml
@@ -114,10 +114,15 @@ jobs:
           printf '{}\n' > "${trivy_docker_config}/config.json"
           export DOCKER_CONFIG="${trivy_docker_config}"
 
+          trivy_ignore_args=()
+          if [[ -f .trivyignore.yaml ]]; then
+            trivy_ignore_args=(--ignorefile .trivyignore.yaml)
+          fi
+
           "${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
-            --exit-code 0 --no-progress --cache-dir "${trivy_cache}" .
+            --exit-code 0 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
           "${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
-            --exit-code 1 --no-progress --cache-dir "${trivy_cache}" .
+            --exit-code 1 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
 
       - name: Validate shell, Kubernetes manifests, and OpenTofu stacks
         run: |
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..f8db970
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,9 @@
+misconfigurations:
+  - id: KSV-0014
+    paths:
+      - apps/gitea/deployment.yaml
+    statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.
+  - id: KSV-0118
+    paths:
+      - apps/gitea/deployment.yaml
+    statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.