diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 43ea694..a213ea4 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -10,6 +10,8 @@ env:
   # whichever you use to reach it from your desktop/laptop
   FORGEJO_HOST: code.zeidler.dev
   HELM_EXPERIMENTAL_OCI: 1
+  TRIVY_IMAGE: aquasec/trivy:0.69.3
+
 jobs:
   check-docker:
     runs-on: docker-cli
@@ -50,45 +52,47 @@ jobs:
         run: docker build -t scan/proxy:latest ./proxy
 
       - name: Generate proxy SBOM
-        uses: aquasecurity/trivy-action@v0.35.0
-        with:
-          image-ref: scan/proxy:latest
-          format: cyclonedx
-          output: sbom-proxy.cdx.json
-          exit-code: '0'
-          vuln-type: os,library
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "$PWD":/output \
+            ${{ env.TRIVY_IMAGE }} \
+            image --exit-code 0 --vuln-type os,library \
+            --format cyclonedx --output /output/sbom-proxy.cdx.json \
+            scan/proxy:latest
 
       - name: Scan proxy image
-        uses: aquasecurity/trivy-action@v0.35.0
-        with:
-          image-ref: scan/proxy:latest
-          format: table
-          exit-code: '1'
-          severity: HIGH,CRITICAL
-          ignore-unfixed: true
-          vuln-type: os,library
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            ${{ env.TRIVY_IMAGE }} \
+            image --exit-code 1 --severity HIGH,CRITICAL \
+            --ignore-unfixed --vuln-type os,library \
+            --format table \
+            scan/proxy:latest
 
       - name: Build claude image for scanning
         run: docker build -t scan/claude:latest ./claude
 
       - name: Generate claude SBOM
-        uses: aquasecurity/trivy-action@v0.35.0
-        with:
-          image-ref: scan/claude:latest
-          format: cyclonedx
-          output: sbom-claude.cdx.json
-          exit-code: '0'
-          vuln-type: os,library
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "$PWD":/output \
+            ${{ env.TRIVY_IMAGE }} \
+            image --exit-code 0 --vuln-type os,library \
+            --format cyclonedx --output /output/sbom-claude.cdx.json \
+            scan/claude:latest
 
       - name: Scan claude image
-        uses: aquasecurity/trivy-action@v0.35.0
-        with:
-          image-ref: scan/claude:latest
-          format: table
-          exit-code: '1'
-          severity: HIGH,CRITICAL
-          ignore-unfixed: true
-          vuln-type: os,library
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            ${{ env.TRIVY_IMAGE }} \
+            image --exit-code 1 --severity HIGH,CRITICAL \
+            --ignore-unfixed --vuln-type os,library \
+            --format table \
+            scan/claude:latest
 
       - name: Upload SBOMs
         if: always()