diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..f42b0c877
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  cache-poisoning:
+    ignore:
+      # The GHA cache is used intentionally here for build performance.
+      # The risk is accepted as these workflows only build internal images.
+      - ci.yml
+      - deploy.yml