diff --git a/.circleci/config.yml b/.circleci/config.yml
index ae1e6af7e5..4923e1516f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -296,13 +296,13 @@ jobs:
           name: Check Python dependencies for CVEs
           command: |
             fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "sudo pip3 install -q --upgrade safety && make -C .. safety"
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade safety && make -C .. safety"
 
       - run:
           name: Run static security testing on source code
           command: |
             fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "sudo pip3 install -q --upgrade pip && sudo pip3 install -q --upgrade bandit && make -C .. bandit"
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade bandit && make -C .. bandit"
 
 
   staging-test-with-rebase:
diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile
index de9b53b3fc..944d2b61d3 100644
--- a/molecule/builder-focal/Dockerfile
+++ b/molecule/builder-focal/Dockerfile
@@ -39,10 +39,8 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
 
 # TEMPORARY: install dh-virtualenv from debian unstable, pending focal package:
 # https://github.com/spotify/dh-virtualenv/issues/298
-RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
-COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
-RUN apt-get install -y debian-archive-keyring
-RUN ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/
+RUN echo "deb http://archive.ubuntu.com/ubuntu/ groovy universe" > /etc/apt/sources.list.d/ubuntu-groovy.list
+COPY aptpreferences.conf /etc/apt/preferences.d/ubuntu-groovy
 
 RUN apt-get update && apt-get install -y dh-virtualenv
 
diff --git a/molecule/builder-focal/aptpreferences.conf b/molecule/builder-focal/aptpreferences.conf
index 58a36d3f3b..5465451114 100644
--- a/molecule/builder-focal/aptpreferences.conf
+++ b/molecule/builder-focal/aptpreferences.conf
@@ -3,5 +3,5 @@ Pin: release a=focal
 Pin-Priority: 700
 
 Package: *
-Pin: release a=unstable
+Pin: release a=groovy
 Pin-Priority: 1
diff --git a/molecule/builder-focal/image_hash b/molecule/builder-focal/image_hash
index 6aff8d3769..9c41977054 100644
--- a/molecule/builder-focal/image_hash
+++ b/molecule/builder-focal/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_09_11
-10d4b7f28a3de6f2bd9e6a55dd5fdb448fb90442d15a013f73942b4d2e5ce259
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2021_01_26
+60436817a1e7a2b1f2abe19ef456b73e0b6e6d4064f2edb27e1ae0da3fcccef3
diff --git a/molecule/builder-xenial/image_hash b/molecule/builder-xenial/image_hash
index 7ec3a4cdef..b737efe001 100644
--- a/molecule/builder-xenial/image_hash
+++ b/molecule/builder-xenial/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_10_07
-35b70776cf5139ed2c597063579d74f0458416e4cbbe443bfebef2596ce5a48c
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2021_01_26
+f17105ea2618621d2de42ee6ef4d2cff507845fbf4d26581581bcf7c99d47217