diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml
index 6df0cbc..d0fbd31 100644
--- a/.woodpecker/build-container.yml
+++ b/.woodpecker/build-container.yml
@@ -6,24 +6,30 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  dryrun:
+  - name: security-build
     image: quay.io/thegeeklab/wp-docker-buildx:5
     settings:
       containerfile: Containerfile.multiarch
-      dry_run: true
-      platforms:
-        - linux/amd64
-        - linux/arm64
-        - linux/arm/v7
-        - linux/arm/v6
-      provenance: false
+      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
       repo: thegeeklab/${CI_REPO_NAME}
-    when:
-      - event: [pull_request]
 
-  publish-dockerhub:
-    group: build
+  - name: security-scan
+    image: docker.io/aquasec/trivy
+    depends_on: security-build
+    commands:
+      - trivy -v
+      - trivy image --input oci/${CI_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: "1"
+      TRIVY_IGNORE_UNFIXED: "true"
+      TRIVY_NO_PROGRESS: "true"
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
+
+  - name: publish-dockerhub
     image: quay.io/thegeeklab/wp-docker-buildx:5
+    depends_on: [security-scan]
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch
@@ -44,9 +50,9 @@ steps:
         branch:
           - ${CI_REPO_DEFAULT_BRANCH}
 
-  publish-quay:
-    group: build
+  - name: publish-quay
     image: quay.io/thegeeklab/wp-docker-buildx:5
+    depends_on: [security-scan]
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch
diff --git a/.woodpecker/build-package.yml b/.woodpecker/build-package.yml
index 2ab6c8d..6c245c8 100644
--- a/.woodpecker/build-package.yml
+++ b/.woodpecker/build-package.yml
@@ -6,19 +6,19 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  checksum:
+  - name: checksum
     image: quay.io/thegeeklab/alpine-tools
     commands:
       - sha256sum wait-for > sha256sum.txt
 
-  changelog:
+  - name: changelog
     image: quay.io/thegeeklab/git-sv
     commands:
       - git sv current-version
       - git sv release-notes -t ${CI_COMMIT_TAG:-next} -o CHANGELOG.md
       - cat CHANGELOG.md
 
-  publish-github:
+  - name: publish-github
     image: docker.io/plugins/github-release
     settings:
       api_key:
diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml
index 6fed940..69dfa3e 100644
--- a/.woodpecker/docs.yml
+++ b/.woodpecker/docs.yml
@@ -6,12 +6,12 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  markdownlint:
+  - name: markdownlint
     image: quay.io/thegeeklab/markdownlint-cli
     commands:
       - markdownlint 'README.md' 'CONTRIBUTING.md'
 
-  spellcheck:
+  - name: spellcheck
     image: quay.io/thegeeklab/alpine-tools
     commands:
       - spellchecker --files 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
@@ -19,16 +19,16 @@ steps:
       FORCE_COLOR: "true"
       NPM_CONFIG_LOGLEVEL: "error"
 
-  pushrm-dockerhub:
+  - name: pushrm-dockerhub
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: docker_password
-        target:  DOCKER_PASS
-      - source: docker_username
-        target:  DOCKER_USER
+    depends_on: [markdownlint, spellcheck]
     environment:
+      DOCKER_PASS:
+        from_secret: docker_password
+      DOCKER_USER:
+        from_secret: docker_username
       PUSHRM_FILE: README.md
-      PUSHRM_SHORT: Poor-mans service synchronizer
+      PUSHRM_SHORT: Retry any shell command
       PUSHRM_TARGET: ${CI_REPO}
     when:
       - event: [push, manual]
@@ -36,12 +36,12 @@ steps:
           - ${CI_REPO_DEFAULT_BRANCH}
         status: [success]
 
-  pushrm-quay:
+  - name: pushrm-quay
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: quay_token
-        target: APIKEY__QUAY_IO
+    depends_on: [markdownlint, spellcheck]
     environment:
+      APIKEY__QUAY_IO:
+        from_secret: quay_token
       PUSHRM_FILE: README.md
       PUSHRM_TARGET: quay.io/${CI_REPO}
     when:
diff --git a/.woodpecker/notify.yml b/.woodpecker/notify.yml
deleted file mode 100644
index a851904..0000000
--- a/.woodpecker/notify.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-when:
-  - event: [tag]
-  - event: [push, manual]
-    branch:
-      - ${CI_REPO_DEFAULT_BRANCH}
-
-runs_on: [success, failure]
-
-steps:
-  matrix:
-    image: quay.io/thegeeklab/wp-matrix
-    settings:
-      homeserver:
-        from_secret: matrix_homeserver
-      password:
-        from_secret: matrix_password
-      roomid:
-        from_secret: matrix_roomid
-      username:
-        from_secret: matrix_username
-    when:
-      - status: [success, failure]
-
-depends_on:
-  - docs
diff --git a/.woodpecker/test.yml b/.woodpecker/test.yml
index 9a34d08..56b99d6 100644
--- a/.woodpecker/test.yml
+++ b/.woodpecker/test.yml
@@ -6,20 +6,21 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  lint:
-    group: test
+  - name: lint
     image: docker.io/koalaman/shellcheck-alpine:stable
+    depends_on: []
     commands:
       - shellcheck ./wait-for
 
-  test-ncat:
-    group: test
+  - name: test-ncat
     image: docker.io/bats/bats
+    depends_on: []
     commands:
       - bats ./wait-for.bats
 
-  test-bash:
+  - name: test-bash
     image: docker.io/bats/bats
+    depends_on: []
     commands:
       - rm -rf /usr/bin/nc
       - bats ./wait-for.bats