diff --git a/.trivyignore b/.trivyignore
index 2c4b016b8..e69de29bb 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,4 +0,0 @@
-# Remove after resolution as part of https://nhsd-jira.digital.nhs.uk/browse/CCM-13769
-CVE-2024-49761 # https://avd.aquasec.com/nvd/cve-2024-49761 ## latest Jekyll Webpack (0.2.7) installs old version of rexml
-CVE-2024-47220 # https://avd.aquasec.com/nvd/cve-2024-47220 ## latest lint_roller (1.1.0) installs old version of rexml
-CVE-2024-7254 # https://avd.aquasec.com/nvd/cve-2024-7254 ## latest Jekyll Webpack (0.2.7) installs old version of google-protobuf
diff --git a/docs/Gemfile b/docs/Gemfile
index 6de59c26a..6b1db009e 100644
--- a/docs/Gemfile
+++ b/docs/Gemfile
@@ -42,3 +42,8 @@ gem 'sass-embedded', '1.78'
 gem 'jekyll-webpack'
 
 gem 'rubocop', require: false
+
+# Security: Explicit dependency pins to resolve CVEs
+gem 'google-protobuf', '>= 4.28.3'  # Addresses CVE-2024-7254
+gem 'rexml', '>= 3.3.9'              # Addresses CVE-2024-49761, CVE-2024-47220
+gem 'webrick', '~> 1.8'              # Standard Ruby web server for Jekyll serve