diff --git a/Makefile b/Makefile
index 544c8d4..a19b8d1 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ scan: build
 	@docker run --rm \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v $(CURDIR)/images/$(IMAGE)/.trivyignore:/.trivyignore:ro \
-		aquasec/trivy:0.69.3 image \
+		aquasec/trivy:0.70.0 image \
 		--severity CRITICAL,HIGH \
 		--ignore-unfixed \
 		--exit-code 1 \
diff --git a/images/ci-tools/.trivyignore b/images/ci-tools/.trivyignore
index ab29d44..e621fc0 100644
--- a/images/ci-tools/.trivyignore
+++ b/images/ci-tools/.trivyignore
@@ -19,11 +19,28 @@ CVE-2026-25679
 
 # internal/syscall/unix: Root.Chmod can follow symlinks out of the root
 # (fixed in Go 1.25.9 / 1.26.2)
-# Affects: actionlint (Go 1.25.7), shfmt v3.13.1 (Go 1.26.1), yq v4.52.5 (Go 1.26.1)
-# Remove this entry once all three ship builds on Go >= 1.25.9 or 1.26.2.
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1)
+# Remove this entry once both ship builds on Go >= 1.25.9 or 1.26.2.
 # Tracking issue: #96
 CVE-2026-32282
 
+# crypto/x509: chain building does unbounded work (fixed in Go 1.25.9 / 1.26.2)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1)
+# Both are offline tools that do not perform X.509 chain building on
+# untrusted input, so the practical risk is negligible.
+# Remove this entry once both ship builds on Go >= 1.25.9 or 1.26.2.
+# Tracking issue: #96
+CVE-2026-32280
+
+# crypto/x509: certificate validation bypass via incorrect DNS constraint
+# handling (fixed in Go 1.26.2)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1)
+# Both are offline tools that do not validate TLS certificates against
+# untrusted input, so the practical risk is negligible.
+# Remove this entry once both ship builds on Go >= 1.26.2.
+# Tracking issue: #96
+CVE-2026-33810
+
 # picomatch: ReDoS via crafted extglob patterns (fixed in 4.0.4 / 3.0.2 / 2.3.2)
 # Affects: npm 11.12.1 bundled tinyglobby → picomatch 4.0.3
 # npm bundles its own dependencies; global install cannot override them.
diff --git a/images/ci-tools/versions.lock b/images/ci-tools/versions.lock
index 0f032e0..e5acf89 100644
--- a/images/ci-tools/versions.lock
+++ b/images/ci-tools/versions.lock
@@ -8,9 +8,9 @@ ACTIONLINT_SHA256_ARM64=325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c880
 HADOLINT_VERSION=v2.14.0
 HADOLINT_SHA256_AMD64=6bf226944684f56c84dd014e8b979d27425c0148f61b3bd99bcc6f39e9dc5a47
 HADOLINT_SHA256_ARM64=331f1d3511b84a4f1e3d18d52fec284723e4019552f4f47b19322a53ce9a40ed
-YQ_VERSION=v4.52.5
-YQ_SHA256_AMD64=75d893a0d5940d1019cb7cdc60001d9e876623852c31cfc6267047bc31149fa9
-YQ_SHA256_ARM64=90fa510c50ee8ca75544dbfffed10c88ed59b36834df35916520cddc623d9aaa
+YQ_VERSION=v4.53.2
+YQ_SHA256_AMD64=d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b
+YQ_SHA256_ARM64=03061b2a50c7a498de2bbb92d7cb078ce433011f085a4994117c2726be4106ea
 MARKDOWNLINT_CLI2_VERSION=0.21.0
 BIOME_VERSION=2.4.7
 STYLELINT_VERSION=17.6.0