diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 136a82fd99e6f289d56e90612a2edb810a8482cc..a32b1a7c26f45518a66162bba76049509cf714eb 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,8 +15,8 @@ metabuild:
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
     script:
-        - docker build -f pica-ci/Dockerfile . -t $REGISTRY/pica-ci
-        - docker push $REGISTRY/pica-ci:latest
+            - docker build -f pica-ci/Dockerfile . -t $REGISTRY/pica-ci:$CI_COMMIT_SHA
+        - docker push $REGISTRY/pica-ci:$CI_COMMIT_SHA
     after_script:
         - docker logout $REGISTRY
     tags: [build]
@@ -34,7 +34,7 @@ metabuild:
 # build the container that was modified
 build:
     stage: build
-    image: $REGISTRY/pica-ci:latest
+    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
         - source /etc/profile.d/ci-variables
@@ -58,7 +58,7 @@ build:
 # run CoreOS' Clair and make the CI failed if a critical vulnerability isn't in the whitelist
 clair:
     stage: static_tests
-    image: $REGISTRY/pica-ci:latest
+    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
         - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -91,7 +91,7 @@ clair:
 # run docker-bench-security and upload the results
 docker-bench-security:
     stage: dynamic_tests
-    image: $REGISTRY/pica-ci:latest
+    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
         - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -129,7 +129,7 @@ docker-bench-security:
 # automatically deploy the container on pica01-test
 deployment-test:
     stage: deployment
-    image: $REGISTRY/pica-ci:latest
+    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
     variables:
         PICA_ENVIRONMENT: "TEST"
     before_script:
@@ -171,7 +171,7 @@ deployment-test:
 # this will only happen after manually triggering the deployment
 deployment-prod:
     stage: deployment
-    image: $REGISTRY/pica-ci:latest
+    image: $REGISTRY/pica-ci:$CI_COMMIT_SHA
     variables:
         PICA_ENVIRONMENT: "PRODUCTION"
     before_script:
diff --git a/pica-dokuwiki/clair-whitelist.yml b/pica-dokuwiki/clair-whitelist.yml
index 6c0c6e6e16c9f7759c418b32166917e7cb9c18fb..79ce215bc5bc8822abf22ae6451bb60e265ae4c8 100644
--- a/pica-dokuwiki/clair-whitelist.yml
+++ b/pica-dokuwiki/clair-whitelist.yml
@@ -8,4 +8,4 @@ generalwhitelist:
     CVE-2017-12424: shadow -> Pas de contre-mesure
     CVE-2016-2779: util-linux -> Pas de contre-mesure
     CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
-    CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure 
\ No newline at end of file
+    CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure