diff --git a/enroll/manifest.py b/enroll/manifest.py
index 09666d4..afb8b88 100644
--- a/enroll/manifest.py
+++ b/enroll/manifest.py
@@ -567,7 +567,7 @@ def _tar_dir_to_with_progress(
             cols = shutil.get_terminal_size((80, 20)).columns
             msg = msg[: cols - 1]
         except Exception:
-            pass
+            pass # nosec
         os.write(2, ("\r" + msg).encode("utf-8", errors="replace"))
 
     with tarfile.open(tar_path, mode="w:gz") as tf:
diff --git a/enroll/remote.py b/enroll/remote.py
index df8d876..7ad8dc4 100644
--- a/enroll/remote.py
+++ b/enroll/remote.py
@@ -200,7 +200,7 @@ def remote_harvest(
 
             # Stream a tarball back to the local machine (avoid creating a tar file on the remote).
             cmd = f"tar -cz -C {rbundle} ."
-            _stdin, stdout, stderr = ssh.exec_command(cmd)
+            _stdin, stdout, stderr = ssh.exec_command(cmd) # nosec
             with open(local_tgz, "wb") as f:
                 while True:
                     chunk = stdout.read(1024 * 128)
diff --git a/enroll/sopsutil.py b/enroll/sopsutil.py
index d43d351..6c0c881 100644
--- a/enroll/sopsutil.py
+++ b/enroll/sopsutil.py
@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import os
 import shutil
-import subprocess
+import subprocess # nosec
 import tempfile
 from pathlib import Path
 from typing import Iterable, List, Optional
@@ -62,7 +62,7 @@ def encrypt_file_binary(
         ],
         capture_output=True,
         check=False,
-    )
+    ) # nosec
     if res.returncode != 0:
         raise SopsError(
             "sops encryption failed:\n"
@@ -112,7 +112,7 @@ def decrypt_file_binary_to(
         ],
         capture_output=True,
         check=False,
-    )
+    ) # nosec
     if res.returncode != 0:
         raise SopsError(
             "sops decryption failed:\n"