diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 21cd67226310a916aaec90f00b6728b0673ea6e3..4cd810f1e3a161885e9330b8b45fe8fba9981666 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,6 +22,13 @@ include:
       analyzer_image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
       # FIXME: why do I have to set this, this is weird ...
       force_run: true
+    rules:
+      - changes:
+          - Dockerfile
+          - .gitlab-ci.yml
+          - src/gitlab-tofu.sh
+      - if: $CI_COMMIT_TAG
+      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 stages:
   - build