diff --git a/.github/.trivyignore b/.github/.trivyignore
new file mode 100644
index 00000000..bbafe562
--- /dev/null
+++ b/.github/.trivyignore
@@ -0,0 +1 @@
+CVE-2026-26996
diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 0784c279..9ac20003 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -16,6 +16,9 @@ on:
 env:
   DOCKER_USER: 1001:127
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push-backend:
     runs-on: ubuntu-latest
@@ -42,6 +45,7 @@ jobs:
         with:
           docker-build-args: "--target backend-production -f Dockerfile"
           docker-image-name: "docker.io/lasuite/impress-backend:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
@@ -83,6 +87,7 @@ jobs:
         with:
           docker-build-args: "-f src/frontend/Dockerfile --target frontend-production"
           docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
@@ -124,6 +129,7 @@ jobs:
         with:
           docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider"
           docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eae6da7..9def0fed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to
 - 👷(CI) add GHCR workflow for forked repo testing #1851
 - ✨(backend) allow the duplication of subpages #1893
 - ✨(backend) Onboarding docs for new users #1891
+- 🩺(trivy) add trivyignore file and add minimatch CVE #1915
 
 ### Changed