diff --git a/.woodpecker.yml b/.woodpecker.yml
index f05e098..f940c88 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -18,6 +18,11 @@ steps:
         SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
         DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
+        # Hard guards so we fail *before* skopeo if anything is empty
+        [ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
+        [ -n "$SRC" ]     || { echo "❌ SRC is empty"; exit 2; }
+        [ -n "$DST" ]     || { echo "❌ DST is empty"; exit 2; }
+
          apt-get update -qq
          apt-get install -y -qq skopeo
          TOKEN="$(gcloud auth print-access-token)"
@@ -57,8 +62,9 @@ steps:
         apt-get update -qq && apt-get install -y -qq skopeo
         TOKEN="$(gcloud auth print-access-token)"
         for s in server1 server2 server3 nginx; do
-          skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \
-            "docker://${DST}/${s}:${IMG_TAG}" >/dev/null
+          REF="docker://${DST}/${s}:${IMG_TAG}"
+          echo "🔎 verify ${REF}"
+          skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null
         done
         echo "✅ Prod AR has all images at :$IMG_TAG"
 
@@ -78,18 +84,20 @@ steps:
         REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
         apt-get update -qq
-        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
+         apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
 
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
         export PATH="$PATH:$(pwd)/bin"
 
         TOKEN="$(gcloud auth print-access-token)"
-
-        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
-        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
-        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
-        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
-
+        for s in server1 server2 server3 nginx; do
+          REF="$REG/$s:$IMG_TAG"
+          echo "🛡  scan  $REF"
+          trivy image --username oauth2accesstoken --password "$TOKEN" \
+            --scanners vuln --ignore-unfixed --ignorefile .trivyignore \
+            --exit-code 1 --severity CRITICAL "$REF"
+        done
+        
   - name: prod-deploy
     depends_on: [security-scan]
     image: google/cloud-sdk:latest