diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index 1fd30820..235212a4 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -449,6 +449,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-nightly.sarif'
           version: 'v0.69.3'
+          trivyignores: '.trivyignore'
 
       - name: Upload Trivy results
         uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
diff --git a/.grype.yaml b/.grype.yaml
index 23c9f5a9..7701f01f 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -50,7 +50,7 @@ ignore:
       as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
       process untrusted tar archives. Attack surface limited to base OS utilities.
       Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-01-23"  # Re-evaluate in 7 days
+    expiry: "2026-03-14"  # Re-evaluate in 7 days
 
     # Action items when this suppression expires:
     # 1. Check Alpine security feed: https://security.alpinelinux.org/
diff --git a/.trivyignore b/.trivyignore
index 9a36c768..fa6966bb 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -7,3 +7,10 @@ playwright/.auth/
 # Charon does not use Nebula VPN PKI by default. Review by: 2026-03-05
 # See also: .grype.yaml for full justification
 CVE-2026-25793
+
+# CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
+# Severity: CRITICAL (CVSS 9.8) — Package: zlib 1.3.1-r2 in Alpine base image
+# No upstream fix available: Alpine 3.23 (including edge) still ships zlib 1.3.1-r2.
+# Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14
+# See also: .grype.yaml for full justification
+CVE-2026-22184