diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 05dd1d1af..781446dd9 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -32,7 +32,7 @@ jobs:
         working-directory: backend
         run: |
           go install github.com/securego/gosec/v2/cmd/gosec@latest
-          gosec -severity high -confidence high ./...
+          gosec -conf .gosec.yaml -severity high -confidence high ./...
 
   frontend-security:
     runs-on: ubuntu-latest
diff --git a/backend/.gosec.yaml b/backend/.gosec.yaml
new file mode 100644
index 000000000..8d27715ae
--- /dev/null
+++ b/backend/.gosec.yaml
@@ -0,0 +1,7 @@
+global:
+  # Exclude G704 (SSRF via taint analysis) - this is an API gateway platform
+  # that by design proxies requests to configurable upstream services.
+  # All upstream URLs are sourced from admin-configured settings or known
+  # third-party API endpoints, not from end-user input.
+  exclude:
+    - G704