diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml
index a92182d..2ce38f1 100644
--- a/.woodpecker/build-container.yml
+++ b/.woodpecker/build-container.yml
@@ -24,7 +24,9 @@ steps:
       TRIVY_NO_PROGRESS: "true"
       TRIVY_SEVERITY: HIGH,CRITICAL
       TRIVY_TIMEOUT: 1m
-      TRIVY_SKIP_FILES: /usr/local/bin/gomplate
+      TRIVY_SKIP_FILES: >-
+        /usr/local/bin/gomplate,
+        /opt/pipx/venvs/ansible/lib/**/site-packages/ansible_collections/**/modules/*.py
 
   publish-dockerhub:
     group: container
diff --git a/Containerfile.multiarch b/Containerfile.multiarch
index 1b5ac0c..2a2fe3a 100644
--- a/Containerfile.multiarch
+++ b/Containerfile.multiarch
@@ -20,25 +20,30 @@ ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
 ENV ANSIBLE_FORCE_COLOR=true
 ENV USER=root
 ENV PATH=/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
+ENV PIPX_HOME=/opt/pipx
+ENV PIPX_BIN_DIR=/usr/local/bin
 
 COPY overlay/ /
 
 RUN apk add --update --no-cache --virtual .build-deps build-base libffi-dev musl-dev openssl-dev python3-dev cargo && \
-    apk add --update --no-cache git openssh-client && \
-    echo "Installing requirements ..." && \
-    pip install -qq --upgrade --no-cache-dir pip && \
-    pip install -qq --no-cache-dir -r /root/requirements.txt && \
+    apk add --update --no-cache git openssh-client pipx && \
     echo "Installing ansible 'v$ANSIBLE_VERSION' ..." && \
-    pip install -qq --no-cache-dir ansible=="$ANSIBLE_VERSION" && \
-    MOLECULE_VERSION="${MOLECULE_VERSION##v}" && \
-    MOLECULE_MAJOR="${MOLECULE_VERSION%%.*}" && \
-    if [ -z "${MOLECULE_MAJOR//[0-9]}" ] && [ -n "$MOLECULE_MAJOR" ]; then \
-        echo "Installing molecule version '$MOLECULE_VERSION' ..." && \
-        pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker]; \
-    else \
-        echo "Installing latest molecule ..." && \
-        pip install -qq --no-cache-dir molecule molecule-plugins[docker]; \
-    fi && \
+    pipx install --include-deps ansible=="$ANSIBLE_VERSION" && \
+    echo "Installing molecule version '$MOLECULE_VERSION' ..." && \
+    pipx inject --include-apps ansible molecule && \
+    pipx inject --include-apps ansible pytest && \
+    pipx inject ansible pytest-testinfra && \
+    pipx inject ansible molecule-plugins[docker] && \
+    pipx inject ansible molecule_hetznercloud && \
+    pipx inject ansible boto && \
+    pipx inject ansible boto3 && \
+    pipx inject ansible botocore && \
+    pipx inject ansible hcloud && \
+    pipx inject ansible apache-libcloud && \
+    pipx inject ansible pycrypto && \
+    pipx inject ansible flaky && \
+    pipx inject ansible passlib && \
+    $PIPX_HOME/shared/bin/pip install -U pip setuptools && \
     apk del .build-deps && \
     rm -rf /var/cache/apk/* && \
     rm -rf /tmp/* && \
diff --git a/overlay/bin/molecule b/overlay/bin/molecule
index e3c1d8e..e31dbc9 100755
--- a/overlay/bin/molecule
+++ b/overlay/bin/molecule
@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# shellcheck disable=2039
+# shellcheck disable=2039,3040
 set -eo pipefail
 
 DIR=$(pwd)
@@ -11,7 +11,7 @@ if [ -n "${MOLECULE_CUSTOM_MODULES_REPO}" ]; then
     WORKDIR="${MOLECULE_LIBRARY_DIR}"
     [ -d "$WORKDIR" ] && rm -rf "$WORKDIR"
     mkdir -p "$WORKDIR"
-    git clone "$MOLECULE_CUSTOM_MODULES_REPO" "$WORKDIR" 2> /dev/null
+    git clone "$MOLECULE_CUSTOM_MODULES_REPO" "$WORKDIR" 2>/dev/null
 fi
 
 if [ -n "${MOLECULE_CUSTOM_FILTERS_REPO}" ]; then
@@ -19,13 +19,13 @@ if [ -n "${MOLECULE_CUSTOM_FILTERS_REPO}" ]; then
     printf "Cloning custom filters ...\n"
     [ -d "$WORKDIR" ] && rm -rf "$WORKDIR"
     mkdir -p "$WORKDIR"
-    git clone "$MOLECULE_CUSTOM_FILTERS_REPO" "$WORKDIR" 2> /dev/null
+    git clone "$MOLECULE_CUSTOM_FILTERS_REPO" "$WORKDIR" 2>/dev/null
 fi
 
 if [ -n "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" ]; then
     printf "Write vault password file ...\n"
     MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE=/root/.vaultpasswd
-    echo "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" > $MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE
+    echo "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" >$MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE
     exec env ANSIBLE_VAULT_PASSWORD_FILE=$MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE /usr/local/bin/molecule "$@"
 else
     exec /usr/local/bin/molecule "$@"
diff --git a/overlay/root/requirements.txt b/overlay/root/requirements.txt
deleted file mode 100644
index 63d7bc6..0000000
--- a/overlay/root/requirements.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-# cloud provider deps
-boto
-boto3
-botocore
-apache-libcloud
-hcloud
-molecule_hetznercloud
-
-# misc
-pycrypto
-flaky
-passlib
-pytest
-pytest-testinfra