diff --git a/.github/workflows/_osv-scan.yml b/.github/workflows/_osv-scan.yml
index 8119b30..dba004d 100644
--- a/.github/workflows/_osv-scan.yml
+++ b/.github/workflows/_osv-scan.yml
@@ -22,11 +22,23 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - name: Check for config file
+      - name: Fetch central OSV config
+        if: hashFiles('osv-scanner.toml') == ''
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ github.repository_owner }}/.github
+          path: .central-config
+          sparse-checkout: osv-scanner.toml
+          sparse-checkout-cone-mode: false
+
+      - name: Apply config (local overrides central)
         id: config
         run: |
           if [ -f osv-scanner.toml ]; then
             echo "args=--config=osv-scanner.toml" >> "$GITHUB_OUTPUT"
+          elif [ -f .central-config/osv-scanner.toml ]; then
+            cp .central-config/osv-scanner.toml osv-scanner.toml
+            echo "args=--config=osv-scanner.toml" >> "$GITHUB_OUTPUT"
           else
             echo "args=" >> "$GITHUB_OUTPUT"
           fi
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000..ac52245
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,34 @@
+# Org-wide OSV vulnerability ignores
+#
+# Central config inherited by all repos via _osv-scan.yml.
+# Only add entries here for vulns that cannot be immediately fixed
+# (e.g., no upstream patch yet, or upgrade blocked/pending Renovate rollout).
+# Remove entries promptly when upgrades land.
+#
+# Repos can override with a local osv-scanner.toml (takes precedence).
+
+# pygments 2.19.2 — Low severity (3.3), ReDoS in AdlLexer
+# No patched version available upstream
+[[IgnoredVulns]]
+id = "GHSA-5239-wwwm-4pmq"
+reason = "pygments 2.19.2 is the latest version; no fix available upstream"
+
+# nltk 3.9.3 — High severity (7.5), no patched version for this CVE
+[[IgnoredVulns]]
+id = "GHSA-jm6w-m3j8-898g"
+reason = "nltk 3.9.3 has no fix for this CVE"
+
+# nltk 3.9.3 — Medium severity (5.1), no patched version available
+[[IgnoredVulns]]
+id = "GHSA-rf74-v2fm-23pw"
+reason = "nltk 3.9.3 has no fix available upstream"
+
+# nltk 3.9.3 — Medium severity (6.1), fix available in 3.9.4
+[[IgnoredVulns]]
+id = "GHSA-gfwx-w7gr-fvh7"
+reason = "nltk upgrade to 3.9.4 pending Renovate PR"
+
+# requests 2.32.5 — Medium severity (4.4), fix available in 2.33.0
+[[IgnoredVulns]]
+id = "GHSA-gc5v-m9x4-r6x2"
+reason = "requests upgrade to 2.33.0 pending Renovate PR"