diff --git a/helm/templates/_enforce-policy.yaml b/helm/templates/_enforce-policy.yaml
new file mode 100644
index 0000000..7b3fc16
--- /dev/null
+++ b/helm/templates/_enforce-policy.yaml
@@ -0,0 +1,17 @@
+{{- define "template.enforce-policy" }}
+- name: enforce-policy
+      inputs:
+        parameters:
+          - name: fail-on-cvss
+      container:
+        image: agentguard-tools:latest
+        command:
+          - node
+          - /app/dist/enforce-policy.js
+        env:
+          - name: FAIL_ON_CVSS
+            value: "{{inputs.parameters.fail-on-cvss}}"
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}
diff --git a/helm/templates/scan-crossguard.yaml b/helm/templates/_scan-crossguard.yaml
similarity index 83%
rename from helm/templates/scan-crossguard.yaml
rename to helm/templates/_scan-crossguard.yaml
index 8088cbc..73fce87 100644
--- a/helm/templates/scan-crossguard.yaml
+++ b/helm/templates/_scan-crossguard.yaml
@@ -1,11 +1,5 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-crossguard
+{{- define "template.scan-crossguard" }}
+- name: scan-crossguard
       container:
         image: pulumi/pulumi:3.154.0
         env:
diff --git a/helm/templates/scan-kics.yaml b/helm/templates/_scan-kics.yaml
similarity index 77%
rename from helm/templates/scan-kics.yaml
rename to helm/templates/_scan-kics.yaml
index 4303a35..f764431 100644
--- a/helm/templates/scan-kics.yaml
+++ b/helm/templates/_scan-kics.yaml
@@ -1,11 +1,5 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-kics
+{{- define "template.scan-kics" }}
+- name: scan-kics
       container:
         image: checkmarx/kics:1.7.14
         command:
diff --git a/helm/templates/scan-semgrep.yaml b/helm/templates/_scan-semgrep.yaml
similarity index 67%
rename from helm/templates/scan-semgrep.yaml
rename to helm/templates/_scan-semgrep.yaml
index 02a8012..e7c482e 100644
--- a/helm/templates/scan-semgrep.yaml
+++ b/helm/templates/_scan-semgrep.yaml
@@ -1,11 +1,5 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-semgrep
+{{- define "template.scan-semgrep" }}
+- name: scan-semgrep
       container:
         image: returntocorp/semgrep:1.85.0
         command:
diff --git a/helm/templates/scan-socketdev.yaml b/helm/templates/_scan-socketdev.yaml
similarity index 75%
rename from helm/templates/scan-socketdev.yaml
rename to helm/templates/_scan-socketdev.yaml
index 56532df..f5c1cb5 100644
--- a/helm/templates/scan-socketdev.yaml
+++ b/helm/templates/_scan-socketdev.yaml
@@ -1,11 +1,5 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-socketdev
+{{- define "template.scan-socketdev" }}
+- name: scan-socketdev
       container:
         image: socketdev/socketcli:latest
         env:
diff --git a/helm/templates/scan-syft-grype.yaml b/helm/templates/_scan-syft-grype.yaml
similarity index 70%
rename from helm/templates/scan-syft-grype.yaml
rename to helm/templates/_scan-syft-grype.yaml
index 3f31af2..4595f68 100644
--- a/helm/templates/scan-syft-grype.yaml
+++ b/helm/templates/_scan-syft-grype.yaml
@@ -1,11 +1,5 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-syft-grype
+{{- define "template.scan-syft-grype" }}
+- name: scan-syft-grype
       container:
         image: anchore/syft:latest
         command:
diff --git a/helm/templates/_scan-trufflehog.yaml b/helm/templates/_scan-trufflehog.yaml
new file mode 100644
index 0000000..28ac35d
--- /dev/null
+++ b/helm/templates/_scan-trufflehog.yaml
@@ -0,0 +1,16 @@
+{{- define "template.scan-trufflehog" }}
+- name: scan-trufflehog
+      container:
+        image: trufflesecurity/trufflehog:latest
+        command:
+          - sh
+          - -c
+        args:
+          - |
+            set -eu
+            mkdir -p /workspace/reports
+            trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}
diff --git a/helm/templates/_upload-defectdojo.yaml b/helm/templates/_upload-defectdojo.yaml
new file mode 100644
index 0000000..28edc0e
--- /dev/null
+++ b/helm/templates/_upload-defectdojo.yaml
@@ -0,0 +1,22 @@
+{{- define "template.upload-defectdojo" }}
+- name: upload-defectdojo
+      container:
+        image: agentguard-tools:latest
+        env:
+          - name: DEFECTDOJO_URL
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: DEFECTDOJO_URL
+          - name: DEFECTDOJO_API_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: DEFECTDOJO_API_TOKEN
+        command:
+          - node
+          - /app/dist/upload-defectdojo.js
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}
diff --git a/helm/templates/_upload-storage.yaml b/helm/templates/_upload-storage.yaml
new file mode 100644
index 0000000..5e3e735
--- /dev/null
+++ b/helm/templates/_upload-storage.yaml
@@ -0,0 +1,39 @@
+{{- define "template.upload-storage" }}
+- name: upload-storage
+      container:
+        image: amazon/aws-cli:2.15.40
+        env:
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_ACCESS_KEY_ID
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_SECRET_ACCESS_KEY
+          - name: MINIO_ROOT_USER
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: MINIO_ROOT_USER
+          - name: MINIO_ROOT_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: MINIO_ROOT_PASSWORD
+        command:
+          - sh
+          - -c
+        args:
+          - |
+            set -eu
+            repo_name="${REPO_NAME:-repo}"
+            commit_sha="${GIT_COMMIT_SHA:-unknown}"
+            report_date="$(date -u +%F)"
+            aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/"
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}
diff --git a/helm/templates/scan-trufflehog.yaml b/helm/templates/scan-trufflehog.yaml
deleted file mode 100644
index 7df1f94..0000000
--- a/helm/templates/scan-trufflehog.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-trufflehog
-      container:
-        image: alpine:3.20
-        command:
-          - sh
-          - -c
-        args:
-          - mkdir -p /workspace/reports && echo "stub: trufflehog" > /workspace/reports/trufflehog.json
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
-{{- end }}