diff --git a/.env_sample b/.env_sample
new file mode 100644
index 0000000..4c01045
--- /dev/null
+++ b/.env_sample
@@ -0,0 +1,14 @@
+# default: http://localhost:19999
+NETDATA_HOST=http://localhost:19999
+
+# default: 200000 (last how many seconds to get from netdata)
+# NETDATA_QUERY_SECONDS=200000
+
+# default: 3000 (how many points in a row for the query)
+# NETDATA_QUERY_POINTS=3000
+
+# default: 0 (seconds to refresh the dashboard-website,  0 = no refresh)
+# SITE_REFRESH=0
+
+# default: 19998 (internal Port of the rudi-Server)
+# SERVER_PORT=19998
diff --git a/.gitea/workflows/create_and_push_multiarch_container.yml b/.gitea/workflows/create_and_push_multiarch_container.yml
index 389d349..f8d8ab9 100644
--- a/.gitea/workflows/create_and_push_multiarch_container.yml
+++ b/.gitea/workflows/create_and_push_multiarch_container.yml
@@ -1,12 +1,13 @@
-name: release-tag
+name: build-image
+run-name: build and push Docker-Image
 
 on:
   workflow_dispatch: # Manuelles Auslösen des Workflows
     inputs:
       image_tag:
-        description: 'Tag für das Docker-Image (z.B. latest oder v1.0.0)'
+        description: '2. Tag für das Docker-Image (z.B. 1.0.0)'
         required: true
-        default: 'latest'
+        default: '0.3.0'
 
 env:
   image_name: doc_rudi
@@ -31,12 +32,6 @@ jobs:
           username: ${{ env.user }}
           password: ${{ secrets.DOCKER_PULL_TOKEN }}
 
-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT                
-          echo DOCKERFILE_VERSION=$(grep 'LABEL version=' Dockerfile | sed 's/.*LABEL version="\([^"]*\)".*/\1/') >> $GITHUB_OUTPUT
-
       - name: Build and push
         run: |
           # Stelle sicher, dass Buildx aktiviert ist
@@ -46,7 +41,6 @@ jobs:
           docker buildx build \
             --file ./Dockerfile \
             --platform linux/amd64,linux/386,linux/arm64,linux/arm/v7 \
-            --tag ${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:${{ steps.meta.outputs.REPO_VERSION }} \
-            --tag ${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:${{ steps.meta.outputs.DOCKERFILE_VERSION }} \
+            --tag ${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:latest \
             --tag ${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:${{ github.event.inputs.image_tag }} \
             --push ./
diff --git a/.gitea/workflows/demo.yml b/.gitea/workflows/demo.yml
deleted file mode 100644
index e2b7dff..0000000
--- a/.gitea/workflows/demo.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-name: Gitea Actions Demo
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
-#on: [push]
-on: workflow_dispatch
-
-jobs:
-  Explore-Gitea-Actions:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Ick kiek ma welchet Linux dat is
-        run: |
-          echo "Det is $(grep ^PRETTY_NAME= /etc/os-release | cut -d= -f2 | tr -d '"') watt ick jetze nutze."
-      - name: Print runner variables
-        run: |
-          echo "runner.name: ${{ runner.name }}"
-          echo "runner.os: ${{ runner.os }}"
-          echo "runner.arch: ${{ runner.arch }}"
-          echo "runner.temp: ${{ runner.temp }}"
-          echo "runner.tool_cache: ${{ runner.tool_cache }}"
-          echo "runner.environment: ${{ runner.environment }}"
-      - name: Anzeigen von GitHub-spezifischen Variablen
-        run: |
-          echo "GITHUB_REPOSITORY: $GITHUB_REPOSITORY"
-          echo "GITHUB_REPOSITORY_OWNER: $GITHUB_REPOSITORY_OWNER"
-          echo "GITHUB_REF: $GITHUB_REF"
-          echo "GITHUB_REF_NAME: $GITHUB_REF_NAME"
-          echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE"
-          echo "GITHUB_JOB: $GITHUB_JOB"
-          echo "GITHUB_SHA: $GITHUB_SHA"
-          echo "GITHUB_ACTOR: $GITHUB_ACTOR"
-          echo "GITHUB_WORKFLOW: $GITHUB_WORKFLOW"
-          echo "GITHUB_RUN_ID: $GITHUB_RUN_ID"
-          echo "GITHUB_RUN_NUMBER: $GITHUB_RUN_NUMBER"
-          echo "GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME"
-          echo "GITHUB_EVENT_PATH: $GITHUB_EVENT_PATH"
-          echo "GITHUB_WORKSPACE: $GITHUB_WORKSPACE"
-          echo "GITHUB_ENV: $GITHUB_ENV"
-          echo "GITHUB_ACTION: $GITHUB_ACTION"
-          echo "GITHUB_ACTION_REPOSITORY: $GITHUB_ACTION_REPOSITORY"
-          echo "GITHUB_SERVER_URL: $GITHUB_SERVER_URL"
-          echo "GITHUB_API_URL: $GITHUB_API_URL"
-
-      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
-      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
-      - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
-      - name: Check out repository code
-        uses: actions/checkout@v4
-      - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
-      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
-      - name: List files in the repository
-        run: |
-          ls ${{ gitea.workspace }}
-      - run: echo "🍏 This job's status is ${{ job.status }}."
diff --git a/.gitea/workflows/trivy_image_scan.yml b/.gitea/workflows/trivy_image_scan.yml
new file mode 100644
index 0000000..ac553c0
--- /dev/null
+++ b/.gitea/workflows/trivy_image_scan.yml
@@ -0,0 +1,34 @@
+name: trivy-scan-image
+run-name: Trivy - Scan Docker Image
+
+on:
+  workflow_dispatch: # Manuelles Auslösen des Workflows
+    inputs:
+      image_tag:
+        description: 'Tag für das zu scannende Docker-Image z.B. latest'
+        required: true
+        default: 'latest'
+  schedule:
+    - cron: '15 2 * * 5'
+
+env:
+  image_name: doc_rudi
+  image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
+  registry_gitea: gitea.tebarius.duckdns.org
+  user: tebarius
+
+jobs:
+  trivy_image_scan:
+    runs-on: ubuntu-latest
+    container: aquasec/trivy:latest
+    steps:
+      - name: Scan image with trivy
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f10862a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.env
diff --git a/Dockerfile b/Dockerfile
index 066dad8..babb1e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,14 @@
-FROM python:slim
+FROM python:3.14-slim
 
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 
 LABEL authors="tebarius"
-LABEL version="0.2.1"
 LABEL description="netdata-DocRudi"
-
-WORKDIR /app
-COPY ./app /app/
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+ENV PATH="/rudi-venv/bin:$PATH"
+ENV SERVER_PORT=19998
 
 RUN apt-get update && \
     if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
@@ -17,9 +17,17 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-RUN pip install --no-cache-dir --trusted-host pypi.python.org -r requirements.txt
+WORKDIR /app
+COPY ./app /app/
 
-ENV SERVER_PORT=19998
+
+RUN python -m venv /rudi-venv \
+    && python -m pip install --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt \
+    && useradd -m -u 1000 rudi \
+    && chown -R rudi:rudi /app
+
+USER rudi
 
 EXPOSE $SERVER_PORT
 
diff --git a/app/netdata_DocRudi.py b/app/netdata_DocRudi.py
index c883b00..1cca6e5 100755
--- a/app/netdata_DocRudi.py
+++ b/app/netdata_DocRudi.py
@@ -22,7 +22,6 @@ server_host = socket.gethostname()
 server_ip = socket.gethostbyname(server_host)
 server_port = os.environ.get('SERVER_PORT', '19998')
 
-
 app = Flask(__name__)
 
 def get_docker_data(q_context, q_dimension):
@@ -128,7 +127,7 @@ def check_url(url, timeout=5):
         sys.exit(1)
 
 if __name__ == '__main__':
-    # app.run(host='0.0.0.0', port=19998, debug=True)
+    # app.run(host='0.0.0.0', port=server_port, debug=True)
     check_url(netdata_host)
     print(f"Dashboard started at http://{server_host}:{server_port} | http://{server_ip}:{server_port}", file=sys.stderr)
     serve(app, host="0.0.0.0", port=server_port)
diff --git a/app/requirements.txt b/app/requirements.txt
index 62defdd..fc66264 100644
--- a/app/requirements.txt
+++ b/app/requirements.txt
@@ -1,3 +1,3 @@
-Flask==3.1.0
-plotly==5.24.1
-waitress~=3.0.2
\ No newline at end of file
+Flask==3.1.2
+plotly==6.5.2
+waitress~=3.0.2
diff --git a/docker-compose-build.yml b/docker-compose-build.yml
index 4d1c679..d140a6c 100644
--- a/docker-compose-build.yml
+++ b/docker-compose-build.yml
@@ -5,8 +5,10 @@ services:
       dockerfile: Dockerfile
     container_name: doc_rudi
     restart: unless-stopped
+    env_file:
+      - .env
     ports:
-      - "19998:19998"
+      - "19990:19990"
     #environment:
       #NETDATA_HOST: http://my-netdata-ip:19999 # default: http://localhost:19999
       #NETDATA_QUERY_SECONDS: 200000 # default: 200000 (last how many seconds to get from netdata)
diff --git a/docker-compose.yml b/docker-compose.yml
index d5fbdcd..b910497 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,8 +5,10 @@ services:
     restart: unless-stopped
     ports:
       - "19998:19998"
-    environment:
-      NETDATA_HOST: http://url-of-your-netdata:19999 # default: http://localhost:19999
+    env_file:
+      - .env
+    #environment:
+      #NETDATA_HOST: http://url-of-your-netdata:19999 # default: http://localhost:19999
       #NETDATA_QUERY_SECONDS: 200000 # default: 200000 (last how many seconds to get from netdata)
       #NETDATA_QUERY_POINTS: 3000 # default: 3000 (how many points in a row for the query)
       #SITE_REFRESH: 0 # default: 0 (seconds to refresh the dashboard-website,  0 = no refresh)