diff --git a/README.md b/README.md
index ef7cfc342e5ffac7c3dea527608b6fd45b9ec957..c6bfa8a543880ac8c26532d0f026bc6c69bca375 100644
--- a/README.md
+++ b/README.md
@@ -571,7 +571,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 
 | Input / Variable  | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
-| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
 | `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |
 | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
@@ -630,7 +630,7 @@ List of requirements before using this variant for publishing your container ima
 
 | Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main` |
+| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` |
 | `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |
 | `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
 | `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
@@ -684,7 +684,7 @@ In order to use the AWS APIs, the variant supports two authentication methods:
 
 | Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master` |
+| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` |
 | `aws-region` / `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
 | `aws-snapshot-region` / `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define to override default)_ | _none_ |
 | `aws-release-region` / `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define to override default)_ | _none_ |
diff --git a/kicker.json b/kicker.json
index 78f79b4984a37499f1c9af09c02a731a49fc6e4a..ffd0a499fa19f983b2e6285e286d4889afcaca72 100644
--- a/kicker.json
+++ b/kicker.json
@@ -237,7 +237,7 @@
         {
           "name": "TBC_VAULT_IMAGE",
           "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
-          "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
+          "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest",
           "advanced": true
         },
         {
@@ -273,7 +273,7 @@
         {
           "name": "TBC_GCP_PROVIDER_IMAGE",
           "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",
-          "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
+          "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest",
           "advanced": true
         },
         {
@@ -321,7 +321,7 @@
         {
           "name": "TBC_AWS_PROVIDER_IMAGE",
           "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
-          "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master",
+          "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest",
           "advanced": true
         },
         {
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index 87583d58b21acfff7aa16be06452bbb7547aa2b9..fb4be9af7969bdc0cc6459c2f8accc438b007044 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -33,7 +33,7 @@ spec:
       default: ''
 ---
 variables:
-  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master
+  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest
   AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
   AWS_REGION: $[[ inputs.aws-region ]]
   AWS_SNAPSHOT_REGION: $[[ inputs.aws-snapshot-region ]]
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 7da4f379fd2bd5b439a01c92108eebd7264c7a19..a0cbd3d7425b6b964b6a02e1a2fe04249a295a8b 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -32,7 +32,7 @@ spec:
       default: ''
 ---
 variables:
-  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main
+  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest
   GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
   GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
   GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 78c2c8fd7e1e62cf1e6d6d246b990639a46c66e2..4c5e1acbb6b82a624f019e0ed884cd07b0113e57 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -12,7 +12,7 @@ spec:
 ---
 variables:
   # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
+  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest
   VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"