diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7be5d57..64eb9a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,17 +9,15 @@ on:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint (ruff)
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: actions/setup-python@v5
         with:
@@ -31,18 +29,13 @@ jobs:
       - name: Lint with ruff
         run: ruff check . --output-format=github
 
-      - name: Format with ruff
-        run: |
-          ruff format .
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config user.name "github-actions[bot]"
-          git diff --quiet || git commit -am "style: auto-format with ruff" && git push
+      - name: Format check with ruff
+        run: ruff format --check .
 
   test:
     name: Test (pytest + PostgreSQL)
     runs-on: ubuntu-latest
     needs: lint
-
     services:
       postgres:
         image: postgres:16-alpine
@@ -57,13 +50,12 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
-
     env:
       DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb
       SECRET_KEY: test-secret
-
     steps:
       - uses: actions/checkout@v4
+
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -75,38 +67,37 @@ jobs:
           pip install -r requirements.txt
 
       - name: Run migrations
-        run: |
-          flask db upgrade
+        run: flask db upgrade
         env:
           FLASK_APP: "app:create_app()"
 
       - name: Run pytest
-        run: |
-          pytest --cov=app --cov-report=xml --cov-fail-under=85 -v
+        run: pytest --cov=app --cov-report=xml --cov-fail-under=85 -v
 
       - name: Upload coverage
         uses: actions/upload-artifact@v4
         with:
           name: coverage-report
           path: coverage.xml
+          retention-days: 7
 
   docker:
     name: Build & Push Docker Image
     runs-on: ubuntu-latest
     needs: test
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       contents: read
       packages: write
-
+      security-events: write
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -114,7 +105,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -122,10 +113,27 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        id: build
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true
+
+      - name: Trivy image scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest
+          format: sarif
+          output: trivy.sarif
+          severity: HIGH,CRITICAL
+          exit-code: '0'
+
+      - name: Upload Trivy results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif