diff --git a/helm/templates/_enforce-policy.yaml b/helm/templates/_enforce-policy.yaml
index 98188c4..948d1f3 100644
--- a/helm/templates/_enforce-policy.yaml
+++ b/helm/templates/_enforce-policy.yaml
@@ -4,7 +4,7 @@
     parameters:
       - name: fail-on-cvss
   container:
-    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
+    image: {{ include "template.tools-image" . | quote }}
     imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
     command:
       - node
diff --git a/helm/templates/_workflow-templates.yaml b/helm/templates/_workflow-templates.yaml
new file mode 100644
index 0000000..ec142c4
--- /dev/null
+++ b/helm/templates/_workflow-templates.yaml
@@ -0,0 +1,64 @@
+{{- define "template.workflow.security-pipeline.tasks" -}}
+- name: clone
+  template: clone-repo
+  arguments:
+    parameters:
+      - name: repo-url
+        value: {{ `{{workflow.parameters.repo-url}}` | quote }}
+      - name: git-revision
+        value: {{ `{{workflow.parameters.git-revision}}` | quote }}
+- name: scanners
+  dependencies:
+    - clone
+  template: parallel-scanners
+  arguments:
+    parameters:
+      - name: working-dir
+        value: {{ `{{workflow.parameters.working-dir}}` | quote }}
+- name: enforce-policy
+  dependencies:
+    - scanners
+  template: enforce-policy
+  arguments:
+    parameters:
+      - name: fail-on-cvss
+        value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
+{{- if .Values.storage.enabled }}
+- name: upload-storage
+  dependencies:
+    - scanners
+  template: upload-storage
+{{- end }}
+{{- if .Values.defectdojo.enabled }}
+- name: upload-defectdojo
+  dependencies:
+    - scanners
+  template: upload-defectdojo
+{{- end }}
+{{- end }}
+
+{{- define "template.workflow.parallel-scanners.tasks" -}}
+{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
+{{- range $scanner := .Values.pipeline.scanners }}
+- name: {{ $scanner }}
+  template: scan-{{ $scanner }}
+  arguments:
+    parameters:
+      - name: working-dir
+        value: {{ `{{inputs.parameters.working-dir}}` | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "template.workflow.named-templates" -}}
+{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
+{{- range $scanner := .Values.pipeline.scanners }}
+{{ include (printf "template.scan-%s" $scanner) $ }}
+{{- end }}
+{{- if .Values.storage.enabled }}
+{{ include "template.upload-storage" . }}
+{{- end }}
+{{- if .Values.defectdojo.enabled }}
+{{ include "template.upload-defectdojo" . }}
+{{- end }}
+{{ include "template.enforce-policy" . }}
+{{- end }}
diff --git a/helm/templates/clusterworkflowtemplate.yaml b/helm/templates/clusterworkflowtemplate.yaml
index abef0e0..23be299 100644
--- a/helm/templates/clusterworkflowtemplate.yaml
+++ b/helm/templates/clusterworkflowtemplate.yaml
@@ -2,9 +2,9 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ClusterWorkflowTemplate
 metadata:
-  name: {{ .Values.pipeline.name | quote }}
+  name: {{ .Values.pipeline.name }}
 spec:
-  serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
+  serviceAccountName: {{ .Values.pipeline.serviceAccountName }}
   entrypoint: security-pipeline
   onExit: pipeline-exit-hook
   volumeClaimTemplates:
@@ -15,7 +15,7 @@ spec:
           - ReadWriteOnce
         resources:
           requests:
-            storage: {{ .Values.pipeline.workspace.storage | quote }}
+            storage: {{ .Values.pipeline.workspace.storage }}
   arguments:
     parameters:
       - name: working-dir
@@ -26,52 +26,20 @@ spec:
       - name: git-revision
         value: {{ .Values.pipeline.gitRevision | quote }}
   templates:
+    # Top-level DAG wiring lives here so the workflow flow stays readable.
     - name: security-pipeline
       dag:
         tasks:
-          - name: clone
-            template: clone-repo
-            arguments:
-              parameters:
-                - name: repo-url
-                  value: {{ `{{workflow.parameters.repo-url}}` | quote }}
-                - name: git-revision
-                  value: {{ `{{workflow.parameters.git-revision}}` | quote }}
-          - name: scanners
-            dependencies:
-              - clone
-            template: parallel-scanners
-            arguments:
-              parameters:
-                - name: working-dir
-                  value: {{ `{{workflow.parameters.working-dir}}` | quote }}
-          - name: enforce-policy
-            dependencies:
-              - scanners
-            template: enforce-policy
-            arguments:
-              parameters:
-                - name: fail-on-cvss
-                  value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
-{{- if .Values.storage.enabled }}
-          - name: upload-storage
-            dependencies:
-              - scanners
-            template: upload-storage
-{{- end }}
-{{- if .Values.defectdojo.enabled }}
-          - name: upload-defectdojo
-            dependencies:
-              - scanners
-            template: upload-defectdojo
-{{- end }}
+{{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }}
+
+    # Concrete task implementations stay below.
     - name: clone-repo
       inputs:
         parameters:
           - name: repo-url
           - name: git-revision
       container:
-        image: {{ .Values.images.git | quote }}
+        image: {{ .Values.images.git }}
         command:
           - sh
           - -c
@@ -80,23 +48,18 @@ spec:
         volumeMounts:
           - name: workspace
             mountPath: /workspace
+
     - name: parallel-scanners
       inputs:
         parameters:
           - name: working-dir
       dag:
         tasks:
-          {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
-          - name: {{ $scanner }}
-            template: scan-{{ $scanner }}
-            arguments:
-              parameters:
-                - name: working-dir
-                  value: {{ `{{inputs.parameters.working-dir}}` | quote }}
-          {{- end }}
+{{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }}
+
     - name: pipeline-exit-hook
       container:
-        image: {{ .Values.images.curl | quote }}
+        image: {{ .Values.images.curl }}
         command:
           - sh
           - -c
@@ -104,17 +67,5 @@ spec:
           - |
             set -eu
             echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
-{{ include "template.scan-trufflehog" . | nindent 4 }}
-{{ include "template.scan-semgrep" . | nindent 4 }}
-{{ include "template.scan-kics" . | nindent 4 }}
-{{ include "template.scan-socketdev" . | nindent 4 }}
-{{ include "template.scan-syft-grype" . | nindent 4 }}
-{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
-{{- if .Values.storage.enabled }}
-{{ include "template.upload-storage" . | nindent 4 }}
-{{- end }}
-{{- if .Values.defectdojo.enabled }}
-{{ include "template.upload-defectdojo" . | nindent 4 }}
-{{- end }}
-{{ include "template.enforce-policy" . | nindent 4 }}
+{{ include "template.workflow.named-templates" . | nindent 4 }}
 {{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
index c285807..98cea22 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -8,6 +8,14 @@ pipeline:
   workspace:
     storage: 1Gi
   repoName: agentguard-ci
+  # Order here matches the scanner fan-out in the workflow DAG.
+  scanners:
+    - trufflehog
+    - semgrep
+    - kics
+    - socketdev
+    - syft-grype
+    - pulumi-crossguard
   toolsImage:
     repository: agentguard-tools
     tag: latest