diff --git a/.woodpecker.yml b/.woodpecker.yml
index 53fcc53..3958e6d 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -67,7 +67,7 @@ steps:
 
   # NOTE: volumes + pas de from_secret : compatible
   - name: sbom-scan
-    image: aquasec/trivy:latest
+    image: aquasec/trivy:0.70.0
     volumes:
       - /home/syoul/trivy-cache:/root/.cache/trivy
     commands:
diff --git a/backend/seed.py b/backend/seed.py
index f7b1406..153f897 100644
--- a/backend/seed.py
+++ b/backend/seed.py
@@ -17,9 +17,12 @@ from app.services.auth_service import hash_password
 from app.services.import_service import generate_auth_code
 from app.engine.pricing import HouseholdData, compute_p0
 
-XLS_PATH = os.path.join(os.path.dirname(__file__), "Eau2018.xls")
-if not os.path.exists(XLS_PATH):
-    XLS_PATH = os.path.join(os.path.dirname(__file__), "..", "Eau2018.xls")
+_XLS_CANDIDATES = [
+    "/opt/Eau2018.xls",  # image Docker (hors volume monté sur /app)
+    os.path.join(os.path.dirname(__file__), "Eau2018.xls"),
+    os.path.join(os.path.dirname(__file__), "..", "Eau2018.xls"),  # dev local depuis backend/
+]
+XLS_PATH = next((p for p in _XLS_CANDIDATES if os.path.exists(p)), _XLS_CANDIDATES[-1])
 
 
 # Codes fixes — identiques dans le dev hint frontend
diff --git a/docker/backend.Dockerfile b/docker/backend.Dockerfile
index 65b0468..678a815 100644
--- a/docker/backend.Dockerfile
+++ b/docker/backend.Dockerfile
@@ -11,7 +11,7 @@ COPY backend/requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY backend/ .
-COPY Eau2018.xls /app/Eau2018.xls
+COPY Eau2018.xls /opt/Eau2018.xls
 
 # Production
 FROM base AS production
@@ -22,6 +22,7 @@ COPY --from=build /usr/local/lib/python3.11/site-packages /usr/local/lib/python3
 COPY --from=build /usr/local/bin/uvicorn /usr/local/bin/uvicorn
 COPY --from=build /usr/local/bin/alembic /usr/local/bin/alembic
 COPY --from=build /app /app
+COPY --from=build /opt/Eau2018.xls /opt/Eau2018.xls
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
   CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/docs')" || exit 1