diff --git a/Cargo.toml b/Cargo.toml
index 09d677db..5fac7fcd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -24,6 +24,7 @@ edition = "2021"
 license = "BSD-3-Clause"
 
 [workspace.lints.rust]
+unsafe_code = "warn"
 unused_crate_dependencies = "warn"
 
 [workspace.lints.clippy]
diff --git a/libcnb/src/exec_d.rs b/libcnb/src/exec_d.rs
index cf12af4f..ad11df66 100644
--- a/libcnb/src/exec_d.rs
+++ b/libcnb/src/exec_d.rs
@@ -24,6 +24,7 @@ pub fn write_exec_d_program_output<O: Into<ExecDProgramOutput>>(o: O) {
         // actually mapped to something. Since we're implementing the CNB spec and it explicitly
         // tells us to write to that file descriptor, this is safe to do without additional
         // validation in this context.
+        #[allow(unsafe_code)]
         let output_file = unsafe { File::from_raw_fd(3) };
 
         let serialized_output = toml::to_string(&o.into())