diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ef8bbab..5b8b6f3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ variables:
   ANNOUNCE: http://labsync.lab.fablab-nea.de:6969/announce
   WEBSEED: http://labsync.lab.fablab-nea.de/labsync/$CI_COMMIT_REF_NAME/$CI_PIPELINE_ID/images
   DOCKER_IMAGE_BUILDER: ${CI_REGISTRY_IMAGE}/labsync-builder:main
-  DOCKER_IMAGE_SECURITY_SCANNER: ${CI_REGISTRY_IMAGE}/security-scanner:$CI_COMMIT_REF_SLUG
+  DOCKER_IMAGE_SECURITY_SCANNER: ${CI_REGISTRY_IMAGE}/security-scanner:main
   DOCKER_TLS_CERTDIR: ""
 
 stages:
@@ -38,7 +38,7 @@ dockerimage_builder:
     - if:
       changes:
         paths:
-          - builder
+          - builder/**/*
         compare_to: main
       when: on_success
 
@@ -53,9 +53,19 @@ dockerimage_security_scanner:
     - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
     - make secscanimg
     - docker push $DOCKER_IMAGE_SECURITY_SCANNER
-  except:
-    refs:
-      - schedules
+    - echo "DOCKER_IMAGE_SECURITY_SCANNER=${CI_REGISTRY_IMAGE}/security-scanner:$CI_COMMIT_REF_SLUG" >> build.env
+  artifacts:
+    reports:
+      dotenv: build.env
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: on_success
+    - if:
+      changes:
+        paths:
+          - security-scanner/**/*
+        compare_to: main
+      when: on_success
 
 security_scanner:
   stage: check
@@ -89,6 +99,8 @@ lightburn-download:
   services:
     - docker:dind
   script:
+    - echo DOCKER_IMAGE_BUILDER=$DOCKER_IMAGE_BUILDER
+    - echo DOCKER_IMAGE_SECURITY_SCANNER=$DOCKER_IMAGE_SECURITY_SCANNER
     - scripts/packer.sh debian-bookworm
     - aws --endpoint-url "$AWS_ENDPOINT_URL" s3 cp images/ "s3://$AWS_BUCKET/$CI_COMMIT_REF_SLUG/$CI_JOB_ID/" --recursive --no-progress
   artifacts: