diff --git a/.gitea/workflows/delpoy.yml b/.gitea/workflows/delpoy.yml
index bd121e7..9e8b0b4 100644
--- a/.gitea/workflows/delpoy.yml
+++ b/.gitea/workflows/delpoy.yml
@@ -5,17 +5,30 @@ on:
     branches:
       - main
 
+env:
+  GIT_HOST: git.jakach.ch
+  GIT_REPO: jakach/jakach-login
+  GIT_BRANCH: main
+
+  APP_NAME: auth
+  APP_DOMAIN: auth.jakach.ch
+  APP_PORT: 447
+
+  SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
+  CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
+  TRIVY_SEVERITY: HIGH,CRITICAL
+  TRIVY_IMAGE_SCANNERS: vuln
+  TRIVY_VEX: repo
+  TRIVY_FS_SCANNERS: vuln,misconfig,secret
+  SEMGREP_CONFIG: p/default
+
 jobs:
   security_scan:
     runs-on: ubuntu-latest
 
     env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
       GIT_USER: ${{ vars.GIT_USER }}
       GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
-      SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
-      TRIVY_SEVERITY: HIGH,CRITICAL
 
     steps:
       - name: Scan Docker images for vulnerabilities
@@ -53,7 +66,6 @@ jobs:
             export PATH="$HOME/.local/bin:$PATH"
           fi
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
           REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
 
           git clone \
@@ -127,6 +139,8 @@ jobs:
 
             if ! trivy \
               image \
+              --scanners "${TRIVY_IMAGE_SCANNERS}" \
+              --vex "${TRIVY_VEX}" \
               --exit-code 1 \
               --severity "${TRIVY_SEVERITY}" \
               --ignore-unfixed \
@@ -148,11 +162,8 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
       GIT_USER: ${{ vars.GIT_USER }}
       GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
-      CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
 
     steps:
       - name: Scan source code
@@ -197,7 +208,6 @@ jobs:
             export PATH="$HOME/.local/bin:$PATH"
           fi
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
           REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
 
           git clone \
@@ -208,14 +218,14 @@ jobs:
           cd source
 
           semgrep scan \
-            --config p/default \
+            --config "${SEMGREP_CONFIG}" \
             --error \
             --metrics=off
 
           trivy fs \
-            --scanners vuln,misconfig,secret \
+            --scanners "${TRIVY_FS_SCANNERS}" \
             --exit-code 1 \
-            --severity HIGH,CRITICAL \
+            --severity "${TRIVY_SEVERITY}" \
             --ignore-unfixed \
             --no-progress \
             .
@@ -226,14 +236,6 @@ jobs:
       - security_scan
       - code_scan
 
-    env:
-      GIT_REPO: jakach/jakach-login
-      GIT_BRANCH: main
-
-      APP_NAME: template
-      APP_DOMAIN: auth.jakach.ch
-      APP_PORT: 447
-
     steps:
       - name: Install dependencies
         run: |
@@ -273,8 +275,6 @@ jobs:
           : "${GIT_USER:?GIT_USER is required}"
           : "${GIT_TOKEN:?GIT_TOKEN is required}"
 
-          GIT_HOST="${GIT_HOST:-git.jakach.ch}"
-
           REPO_NAME="$(basename "$GIT_REPO")"
           APP_DIR="/srv/systems/${REPO_NAME}"