diff --git a/.bundler-audit.yml b/.bundler-audit.yml
index 1aeeca7e4..9da7ebe94 100644
--- a/.bundler-audit.yml
+++ b/.bundler-audit.yml
@@ -1,2 +1,6 @@
+# ignores for `rake bundle_audit`
+# - 1 ignore per line
+# - leave a comment why we can safely ignore it and where to find more details
+# - leave file with `ignore: []` if ignore list is empty
 ignore:
   - CVE-2024-6484 # ignore until a patch is available https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
diff --git a/Rakefile b/Rakefile
index 27e9b48bd..4411f36cd 100644
--- a/Rakefile
+++ b/Rakefile
@@ -60,7 +60,7 @@ end
 
 desc 'Scan for gem vulnerabilities'
 task :bundle_audit do
-  sh "bundle-audit check --update --ignore=CVE-2024-6484"
+  sh "bundle-audit check --update" # manage ignores in .bundler-audit.yml
 end
 
 desc "Run rubocop"