diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 0000000..7785526
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1,11 @@
+# Build artifacts
+.output/
+.nuxt/
+node_modules/
+
+# Generated files
+*.mjs
+
+# Test files (optional, if you want to exclude them)
+# tests/
+
diff --git a/pages/cms/newsletter.vue b/pages/cms/newsletter.vue
index 625cf30..130072f 100644
--- a/pages/cms/newsletter.vue
+++ b/pages/cms/newsletter.vue
@@ -166,6 +166,8 @@
                           Keine Empfänger gefunden
                         </span>
                       </div>
+                      <!-- nosemgrep: javascript.vue.security.audit.xss.templates.avoid-v-html -->
+                      <!-- content is sanitized with DOMPurify via useSanitizeHtml -->
                       <div
                         class="text-sm text-gray-600 prose prose-sm max-w-none mb-3"
                         v-html="useSanitizeHtml(post.content.substring(0, 200) + (post.content.length > 200 ? '...' : ''))"
diff --git a/pages/verein/geschichte.vue b/pages/verein/geschichte.vue
index 069390c..91accbf 100644
--- a/pages/verein/geschichte.vue
+++ b/pages/verein/geschichte.vue
@@ -4,6 +4,8 @@
       <h1 class="text-4xl sm:text-5xl font-display font-bold text-gray-900 mb-6">
         Geschichte
       </h1>
+      <!-- nosemgrep: javascript.vue.security.audit.xss.templates.avoid-v-html -->
+      <!-- content is sanitized with DOMPurify in computed property -->
       <div
         class="prose prose-lg max-w-none"
         v-html="content"
diff --git a/pages/verein/satzung.vue b/pages/verein/satzung.vue
index b5a5a25..6afed0a 100644
--- a/pages/verein/satzung.vue
+++ b/pages/verein/satzung.vue
@@ -5,6 +5,8 @@
         Satzung
       </h1>
       
+      <!-- nosemgrep: javascript.vue.security.audit.xss.templates.avoid-v-html -->
+      <!-- content is sanitized with DOMPurify in computed property -->
       <div
         class="prose prose-lg max-w-none mb-8"
         v-html="content"
diff --git a/pages/verein/tt-regeln.vue b/pages/verein/tt-regeln.vue
index 0574494..ead70af 100644
--- a/pages/verein/tt-regeln.vue
+++ b/pages/verein/tt-regeln.vue
@@ -4,6 +4,8 @@
       <h1 class="text-4xl sm:text-5xl font-display font-bold text-gray-900 mb-6">
         TT-Regeln
       </h1>
+      <!-- nosemgrep: javascript.vue.security.audit.xss.templates.avoid-v-html -->
+      <!-- content is sanitized with DOMPurify in computed property -->
       <div
         class="prose prose-lg max-w-none"
         v-html="content"
diff --git a/pages/verein/ueber-uns.vue b/pages/verein/ueber-uns.vue
index ecd3872..f26c15f 100644
--- a/pages/verein/ueber-uns.vue
+++ b/pages/verein/ueber-uns.vue
@@ -4,6 +4,8 @@
       <h1 class="text-4xl sm:text-5xl font-display font-bold text-gray-900 mb-6">
         Über uns
       </h1>
+      <!-- nosemgrep: javascript.vue.security.audit.xss.templates.avoid-v-html -->
+      <!-- content is sanitized with DOMPurify in computed property -->
       <div
         class="prose prose-lg max-w-none"
         v-html="content"
diff --git a/server/utils/auth.js b/server/utils/auth.js
index 4d1d9c0..6ed8d0e 100644
--- a/server/utils/auth.js
+++ b/server/utils/auth.js
@@ -35,10 +35,12 @@ const getDataPath = (filename) => {
   
   // In production (.output/server), working dir is .output
   if (cwd.endsWith('.output')) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(cwd, '../server/data', filename)
   }
   
   // In development, working dir is project root
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   return path.join(cwd, 'server/data', filename)
 }
 
diff --git a/server/utils/email-service.js b/server/utils/email-service.js
index ddccd62..38be71c 100644
--- a/server/utils/email-service.js
+++ b/server/utils/email-service.js
@@ -18,8 +18,10 @@ function getDataPath(filename) {
   const isProduction = process.env.NODE_ENV === 'production'
   
   if (isProduction) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(process.cwd(), '..', 'server', 'data', filename)
   } else {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(process.cwd(), 'server', 'data', filename)
   }
 }
diff --git a/server/utils/members.js b/server/utils/members.js
index e3b8732..e45612f 100644
--- a/server/utils/members.js
+++ b/server/utils/members.js
@@ -11,10 +11,12 @@ const getDataPath = (filename) => {
   
   // In production (.output/server), working dir is .output
   if (cwd.endsWith('.output')) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(cwd, '../server/data', filename)
   }
   
   // In development, working dir is project root
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   return path.join(cwd, 'server/data', filename)
 }
 
diff --git a/server/utils/news.js b/server/utils/news.js
index edee946..2c0138a 100644
--- a/server/utils/news.js
+++ b/server/utils/news.js
@@ -10,10 +10,12 @@ const getDataPath = (filename) => {
   
   // In production (.output/server), working dir is .output
   if (cwd.endsWith('.output')) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(cwd, '../server/data', filename)
   }
   
   // In development, working dir is project root
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   return path.join(cwd, 'server/data', filename)
 }
 
diff --git a/server/utils/newsletter.js b/server/utils/newsletter.js
index 3b55022..84579ff 100644
--- a/server/utils/newsletter.js
+++ b/server/utils/newsletter.js
@@ -10,8 +10,10 @@ import crypto from 'crypto'
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   if (cwd.endsWith('.output')) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
     return path.join(cwd, '../server/data', filename)
   }
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   return path.join(cwd, 'server/data', filename)
 }
 
diff --git a/server/utils/termine.js b/server/utils/termine.js
index 87b8e66..ba7aa7c 100644
--- a/server/utils/termine.js
+++ b/server/utils/termine.js
@@ -3,17 +3,18 @@ import path from 'path'
 import { randomUUID } from 'crypto'
 
 // Handle both dev and production paths
-// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant (e.g., 'termine.csv'), never user input
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   
   // In production (.output/server), working dir is .output
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   if (cwd.endsWith('.output')) {
     return path.join(cwd, '../public/data', filename)
   }
   
   // In development, working dir is project root
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
   return path.join(cwd, 'public/data', filename)
 }