diff --git a/.trivyignore b/.trivyignore
index bcc8029163..5dc4f55610 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,2 +1,5 @@
 # We don't use the affected constructs and thus are not vulnerable.
 CVE-2024-42473
+# We actually use go-tuf v2. v0.7.0 (which is vulnerable) is merely
+# a transitive dependency and we're not affected by the CVE.
+CVE-2024-47534