diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
index b02d231141a..0615a934da6 100644
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -129,13 +129,15 @@ jobs:
           # - tools/osquery/in-a-box/osquery/fleet.key: TLS key for the "Fleet in a box" demo
           # - tools/osquery/fleet.key: TLS key for the standalone osquery dev sandbox
           # - orbit/pkg/insecure/proxy.go: TLS key used when running orbit with `--insecure` mode for development/testing.
-          # - ee/orbit/pkg/httpsigproxy/httpsigproxy.go: TLS key only used for osquery to orbit _local_ communication 
+          # - ee/orbit/pkg/httpsigproxy/httpsigproxy.go: TLS key only used for osquery to orbit _local_ communication
           #   (for injection of HTTP signatures for the TPM-backed feature in Linux).
+          # - website/config/custom.js: commented-out Stripe test-mode placeholders shown as example config.
           skip-files: |
             tools/osquery/in-a-box/osquery/fleet.key
             tools/osquery/fleet.key
             orbit/pkg/insecure/proxy.go
             ee/orbit/pkg/httpsigproxy/httpsigproxy.go
+            website/config/custom.js
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload on schedule/manual runs. PR/push uploads register