diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2c7ece7d75667b42bf402458b86cff96a8d226ff..1acbc73b75dc3fbaed7976a9d8a9caa8437f9219 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,6 +22,13 @@ include:
       analyzer_image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
       # FIXME: why do I have to set this, this is weird ...
       force_run: true
+    rules:
+      - changes:
+          - Dockerfile
+          - .gitlab-ci.yml
+          - src/gitlab-tofu.sh
+      - if: $CI_COMMIT_TAG
+      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 stages:
   - build