diff --git a/helm/gohoarder/templates/configmap.yaml b/helm/gohoarder/templates/configmap.yaml
index cc742a4..fd1e026 100644
--- a/helm/gohoarder/templates/configmap.yaml
+++ b/helm/gohoarder/templates/configmap.yaml
@@ -93,24 +93,30 @@ data:
         low: {{ .Values.security.blockThresholds.low }}
       scanners:
         trivy:
-          enabled: {{ .Values.security.scanners.trivy.enabled }}
+          # Disabled in server config (no trivy binary), enabled via env var in scanner pod
+          enabled: false
           timeout: {{ .Values.security.scanners.trivy.timeout | quote }}
           cache_db: {{ .Values.security.scanners.trivy.cacheDb | quote }}
         osv:
+          # API-based scanner - works in both server and scanner pods
           enabled: {{ .Values.security.scanners.osv.enabled }}
           api_url: {{ .Values.security.scanners.osv.apiUrl | quote }}
           timeout: {{ .Values.security.scanners.osv.timeout | quote }}
         grype:
-          enabled: {{ .Values.security.scanners.grype.enabled }}
+          # Disabled in server config (no grype binary), enabled via env var in scanner pod
+          enabled: false
           timeout: {{ .Values.security.scanners.grype.timeout | quote }}
         govulncheck:
-          enabled: {{ .Values.security.scanners.govulncheck.enabled }}
+          # Disabled in server config (no go/govulncheck binary), enabled via env var in scanner pod
+          enabled: false
           timeout: {{ .Values.security.scanners.govulncheck.timeout | quote }}
         npm_audit:
-          enabled: {{ .Values.security.scanners.npmAudit.enabled }}
+          # Disabled in server config (no npm binary), enabled via env var in scanner pod
+          enabled: false
           timeout: {{ .Values.security.scanners.npmAudit.timeout | quote }}
         pip_audit:
-          enabled: {{ .Values.security.scanners.pipAudit.enabled }}
+          # Disabled in server config (no pip binary), enabled via env var in scanner pod
+          enabled: false
           timeout: {{ .Values.security.scanners.pipAudit.timeout | quote }}
         ghsa:
           enabled: {{ .Values.security.scanners.ghsa.enabled }}
diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml
index 308db42..036ea4d 100644
--- a/helm/gohoarder/templates/deployment-scanner.yaml
+++ b/helm/gohoarder/templates/deployment-scanner.yaml
@@ -109,6 +109,17 @@ spec:
         env:
         - name: CONFIG_FILE
           value: /etc/gohoarder/config.yaml
+        # Enable tool-based scanners only in scanner pod (server doesn't have the tools)
+        - name: GOHOARDER_SECURITY_SCANNERS_TRIVY_ENABLED
+          value: "{{ .Values.security.scanners.trivy.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_GRYPE_ENABLED
+          value: "{{ .Values.security.scanners.grype.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_GOVULNCHECK_ENABLED
+          value: "{{ .Values.security.scanners.govulncheck.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_NPM_AUDIT_ENABLED
+          value: "{{ .Values.security.scanners.npmAudit.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_PIP_AUDIT_ENABLED
+          value: "{{ .Values.security.scanners.pipAudit.enabled }}"
         {{- if and (eq .Values.metadata.backend "postgresql") .Values.metadata.postgresql.existingSecret }}
         - name: POSTGRES_USER
           valueFrom: