diff --git a/.sage/go.mod b/.sage/go.mod
index 11693c8..89593e2 100644
--- a/.sage/go.mod
+++ b/.sage/go.mod
@@ -2,4 +2,4 @@ module sage
 
 go 1.23
 
-require go.einride.tech/sage v0.371.0
+require go.einride.tech/sage v0.371.1
diff --git a/.sage/go.sum b/.sage/go.sum
index d55b5c2..21b1ac6 100644
--- a/.sage/go.sum
+++ b/.sage/go.sum
@@ -1,2 +1,2 @@
-go.einride.tech/sage v0.371.0 h1:uRoKhO2l6ZJd0x+jdqkL/FPy7N5NKZIb2SGkENwmyx8=
-go.einride.tech/sage v0.371.0/go.mod h1:sy9YuK//XVwEZ2wD3f19xVSKEtN8CYtgtBZGpzC3p80=
+go.einride.tech/sage v0.371.1 h1:9kdA48sddfrsTZoCuTi1JXJNzE9SFXB/miym/NQodtM=
+go.einride.tech/sage v0.371.1/go.mod h1:sy9YuK//XVwEZ2wD3f19xVSKEtN8CYtgtBZGpzC3p80=
diff --git a/spantest/emulator.go b/spantest/emulator.go
index 661ee2d..ac5e822 100644
--- a/spantest/emulator.go
+++ b/spantest/emulator.go
@@ -200,6 +200,8 @@ func inspectPortAddress(t testing.TB, containerID, containerPort string) string
 func execCommand(t testing.TB, name string, args ...string) string {
 	t.Helper()
 	t.Log("exec:", name, strings.Join(args, " "))
+	// No external args are passed to this exec.Command other than the static strings defined in this file.
+	// nosemgrep: go.lang.security.audit.dangerous-exec-command
 	cmd := exec.Command(name, args...)
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout, cmd.Stderr = &stdout, &stderr
diff --git a/spantest/inmemory.go b/spantest/inmemory.go
index 62360af..0465b79 100644
--- a/spantest/inmemory.go
+++ b/spantest/inmemory.go
@@ -3,7 +3,7 @@ package spantest
 import (
 	"context"
 	"fmt"
-	"math/rand"
+	"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used
 	"strconv"
 	"testing"