diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 953def3..feadfb2 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -72,7 +72,12 @@ jobs:
     steps:
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Pinned version — the upstream install.sh resolves the
+          # positional tag against the GitHub releases API; the `latest`
+          # tag is no longer published, so leaving it empty fails with
+          # `unable to find '' - use 'latest' or see ...`. v0.71.0 has
+          # Linux-ARM64 builds for the Pi runner.
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
 
       - name: Scan Bot image
         run: |
diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml
index 6cdcd2c..de0f59e 100644
--- a/.gitea/workflows/pr-checks.yml
+++ b/.gitea/workflows/pr-checks.yml
@@ -47,7 +47,8 @@ jobs:
 
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Pinned version — see deploy.yml for why.
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
           trivy --version
 
       - name: Trivy filesystem security scan