diff --git a/docker-compose.yml b/docker-compose.yml
index 8aed5c3f558e9d96173ffb4e0cdecd87250c8a9b..8c2784bd4e3987b82b1ffce52d86a3fc53b1d449 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,7 @@
+# This docker-compose file is only used for running integration tests and generating docs. As such we're making some
+# allowances with regards to ignoring kics-scan checks.
+# kics-scan ignore
+
 name: gcp-cloud-run-app-testing
 
 services:
@@ -11,9 +15,13 @@ services:
     volumes:
       - .:/workdir:rw
       - ~/.config/gcloud/application_default_credentials.json:/root/.config/gcloud/application_default_credentials.json:ro
+    cap_drop:
+      - "ALL"
   terraform-docs:
     image: quay.io/terraform-docs/terraform-docs:0.17.0
     entrypoint: ["."]
     working_dir: /workdir
     volumes:
       - .:/workdir:rw
+    cap_drop:
+      - "ALL"
diff --git a/static_egress_ip.tf b/static_egress_ip.tf
index fc6cf77d641b90d29637ab3d75b9fa20a69015d0..a150db50ba825db32a8d43c97028debc9a6a5a7e 100644
--- a/static_egress_ip.tf
+++ b/static_egress_ip.tf
@@ -3,6 +3,7 @@
 # https://cloud.google.com/run/docs/configuring/static-outbound-ip
 
 # trivy:ignore:AVD-GCP-0029
+# kics-scan disable=40430747-442d-450a-a34f-dc57149f4609
 resource "google_compute_subnetwork" "vpc_connector" {
   count = local.create_vpc_connector ? 1 : 0
 
diff --git a/tests/setup/main.tf b/tests/setup/main.tf
index c20b8a03703a26a92c90da6918facd9b6a9271b6..11a5bc8657568b1b91940bf006722fb8f6caecdc 100644
--- a/tests/setup/main.tf
+++ b/tests/setup/main.tf
@@ -1,3 +1,7 @@
+# These are test resources which are destroyed after each test run. Therefore, we are disabling kics-scan on the whole
+# file.
+# kics-scan ignore
+
 resource "random_id" "name" {
   byte_length = 2
   # "rapp" represents Cloud Run App and is required to ensure any resources created by this repo's tests are easily