diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml
index 2df1137..e2dd42f 100644
--- a/.gitea/workflows/security-scan.yml
+++ b/.gitea/workflows/security-scan.yml
@@ -47,14 +47,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Trivy
+        # Direct install via the official upstream script. The aquasecurity/
+        # trivy-action wrapper does nested checkouts and auth-juggling that
+        # does not play well with Self-Hosted Gitea Actions, this is more
+        # robust and a smaller surface.
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
+
       - name: Run Trivy filesystem scan
         # Scans dependency manifests (NuGet, npm, package-lock etc.) against
-        # the NVD CVE database. ignore-unfixed skips findings that have no
-        # patched version available so we focus on actionable items.
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: fs
-          scan-ref: .
-          severity: ${{ inputs.severity }}
-          exit-code: '1'
-          ignore-unfixed: true
+        # the NVD CVE database. --ignore-unfixed skips findings that have
+        # no patched version available so we focus on actionable items.
+        run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .