diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0596e6e..1e1cdf4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,6 +37,8 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: task build
 
       - name: Build init
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..7df3fdf
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,4 @@
+# DS-0002: "Specify at least 1 USER command in Dockerfile with non-root user"
+# Our Dockerfiles in images/ are microVM rootfs images, not traditional containers.
+# Isolation comes from the VM boundary (libkrun), not Linux user namespaces.
+DS-0002