diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b095beed6a7783a4e660aba28e0ce5313507eced..767e6d8987ad724d1ab25c78d58ddfd5a9c8b1fc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,16 +4,35 @@ cache:
     - node_modules/
     - public/API/vendor/
 
-docker-build-master:
-  # Official docker image.
+docker-build:
+  # Use the official docker image.
   image: docker:latest
   stage: build
   services:
     - docker:dind
   before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" gitlab.jonasled.de
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  # Default branch leaves tag empty (= latest tag)
+  # All other branches are tagged with the escaped branch name (commit ref slug)
   script:
-    - docker build -t gitlab.jonasled.de/jonasled/website:latest .
-    - docker push "gitlab.jonasled.de/jonasled/website:latest"
-  only:
-    - master
\ No newline at end of file
+    - |
+      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
+        tag=""
+        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
+      else
+        tag=":$CI_COMMIT_REF_SLUG"
+        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
+      fi
+    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
+    - docker push "$CI_REGISTRY_IMAGE${tag}"
+  # Run this job in a branch where a Dockerfile exists
+  rules:
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - Dockerfile
+
+php-security-checker:
+  stage: linting
+  image: registry.gitlab.com/pipeline-components/php-security-checker:latest
+  script:
+    - cd public/API && security-checker security:check composer.lock