diff --git a/.gitea/workflows/azure-pipelines.yml b/.gitea/workflows/azure-pipelines.yml
index 55c3294..91858ff 100644
--- a/.gitea/workflows/azure-pipelines.yml
+++ b/.gitea/workflows/azure-pipelines.yml
@@ -33,9 +33,28 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      # ---------------- TRIVY (filesystem scan; avoid trivy-action — it pulls actions/cache node24) ----------------
+      # - name: Install Trivy
+      #   run: |
+      #     mkdir -p "${HOME}/bin"
+      #     curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${HOME}/bin" v0.70.0
+      #     echo "${HOME}/bin" >> "${GITHUB_PATH}"
+      #     trivy --version
+
+      - name: Trivy filesystem scan
+        run: |
+          trivy fs --format table --output report.txt \
+            --skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \
+            --exit-code 0 \
+            .
+
+      # - name: Upload Trivy report
+      #   uses: actions/upload-artifact@v3
+      #   with:
+      #     name: trivy-fs-report
+      #     path: report.txt
+
       # ---------------- SONARQUBE ----------------
-      # Gitea does not support actions with runs.using: node24 (e.g. sonarqube-scan-action master).
-      # Use the CLI via npx (same as npm run sonar); optional SONAR_URL overrides sonar-project.properties.
       # In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL).
       - name: SonarQube Scan
         uses: SonarSource/sonarqube-scan-action@v6
diff --git a/App.js b/App.js
index 21de250..ffdcd0f 100644
--- a/App.js
+++ b/App.js
@@ -6,4 +6,5 @@ console.log("test4")
 console.log("test5")
 console.log("test6")
 console.log("test7")
-console.log("test8")
\ No newline at end of file
+console.log("test8")
+console.log("test9")
\ No newline at end of file