diff --git a/.gitignore b/.gitignore
index 3b224b1b..91b53e75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -463,7 +463,8 @@ venv/
 .hypothesis/
 **/out/*
 .copilot-tracking/
-dependency-pinning-artifacts/
+dependency-pinning-artifacts/*
+!dependency-pinning-artifacts/README.md
 
 .DS_Store
 .beads/
diff --git a/dependency-pinning-artifacts/README.md b/dependency-pinning-artifacts/README.md
new file mode 100644
index 00000000..3c37f2a4
--- /dev/null
+++ b/dependency-pinning-artifacts/README.md
@@ -0,0 +1,28 @@
+---
+title: Dependency Pinning Artifacts
+description: Local staging directory for dependency pinning compliance artifacts produced in CI.
+author: Edge AI Team
+ms.topic: reference
+---
+
+This directory is the local staging location for the dependency pinning
+compliance report produced by
+[`scripts/security/Test-DependencyPinning.ps1`](../scripts/security/Test-DependencyPinning.ps1)
+when it runs on the `github` platform.
+
+The script creates this directory at runtime and copies the generated
+`dependency-pinning-report.*` file into it so that the GitHub Actions
+`upload-artifact` step in
+[`.github/workflows/dependency-pinning-scan.yml`](../.github/workflows/dependency-pinning-scan.yml)
+has a stable, known path to pick up the report from.
+
+## Contents
+
+The directory is otherwise empty in source control — this `README.md` is the
+only tracked file. Runtime artifacts (the report copies) are ignored via the
+repository's top-level [`.gitignore`](../.gitignore), so nothing generated by a
+CI run ends up being committed.
+
+If you are looking for the report itself, run the dependency pinning scan
+locally and inspect the file the script writes into this directory, or download
+the `dependency-pinning-report` artifact from the GitHub Actions run summary.