diff --git a/.safety-policy.yml b/.safety-policy.yml
new file mode 100644
index 000000000..dcba87b21
--- /dev/null
+++ b/.safety-policy.yml
@@ -0,0 +1,6 @@
+# Safety policy file for `safety check`.
+# Required by safety 3.x — the CLI looks for this file in cwd even when
+# --ignore is passed inline. Ignores are kept on the tox command line
+# (see tox.ini [testenv:safety]) so they stay visible in CI output.
+security:
+    ignore-vulnerabilities: {}
diff --git a/tox.ini b/tox.ini
index 1962eec90..06d7cc727 100644
--- a/tox.ini
+++ b/tox.ini
@@ -62,8 +62,8 @@ deps =
 skip_install = true
 whitelist_externals=find
 commands =
-    safety check -r requirements.txt --ignore 39642 --ignore 39659
-    safety check -r requirements-dev.txt
+    safety check -r requirements.txt --policy-file .safety-policy.yml --ignore 39642 --ignore 39659
+    safety check -r requirements-dev.txt --policy-file .safety-policy.yml
 
 [testenv:bandit]
 deps =