diff --git a/docs/container/security.md b/docs/container/security.md
index aadd4c50a644367cb7e325cd2172a77b4ff75e33..3359aa6f049b57a9fc104840a6174b4542440188 100644
--- a/docs/container/security.md
+++ b/docs/container/security.md
@@ -3,7 +3,12 @@
 ## Trivy
 
 - [GitHub](https://github.com/aquasecurity/trivy)
-- [Docs](https://aquasecurity.github.io/trivy)
+- [Docs](https://trivy.dev/latest/docs/)
+
+### Config
+
+- [Configuration](https://trivy.dev/latest/docs/configuration/)
+- Cli options can be exported as env vars (i.e. `--debug` -> `TRIVY_DEBUG=true trivy ...`)
 
 ### Usage
 
@@ -25,6 +30,7 @@ Scan container image:
 ```sh
 trivy image php:8.4.4-apache-bullseye
 trivy image php:8.4.4-apache-bullseye | head -5  # Hide details
+TRIVY_IGNORE_UNFIXED=true trivy image php:8.4.4-apache-bullseye # Only show fixed CVEs
 ```
 
 ### Ignore checks
diff --git a/docs/security/authentication/oidc.md b/docs/security/authentication/oidc.md
new file mode 100644
index 0000000000000000000000000000000000000000..80e54ba7ecc37bf4838b1b51acde3a171badcf43
--- /dev/null
+++ b/docs/security/authentication/oidc.md
@@ -0,0 +1,23 @@
+# OpenID Connect
+
+- Central identity provider (IDP), also calles OpenID Provider
+- Client (or relying party)
+- Identity Token includes personal information
+  (`Claims`, i.e. name, role, email etc.)
+  - Identity tokens are signed by the IDP, and verified by the client
+  - JSON Web token (`JWT`)
+  - Standard claims (`iss`, `sub`, `aud`, `email` etc.)
+  - Custom claims (i.e. `roles`)
+
+## OIDC flows
+
+### Authorization code flow
+
+- Most relevant
+- Token is transferred via the `Backend channel` (CLient <-> IDP)
+  - SAML uses the `Frontend channel` via Browser, which makes
+    it less secure
+
+## Scopes
+
+- Defines the content of the ID token, i.e. which `claims` can an application get from the IDP ?