diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 47047ce597dbb9d02826b24d79d8409ab167ea80..8075643ae13b0db19baf9580915546023435b8e0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ include:
     file: '/templates/validation.yml'
   - project: 'to-be-continuous/bash'
     ref: '3.3'
-    file: 'templates/gitlab-ci-bash.yml'
+    file: '/templates/gitlab-ci-bash.yml'
   - project: 'to-be-continuous/semantic-release'
     ref: '3.7'
     file: '/templates/gitlab-ci-semrel.yml'    
diff --git a/README.md b/README.md
index e883a18954a55fd529c05d32649c630007551bf0..0c12f5ac629c9430ce02f57623df54199d14ba1c 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,36 @@ This project implements a GitLab CI/CD template to build, check and inspect your
 
 ## Usage
 
-In order to include this template in your project, add the following to your `.gitlab-ci.yml` :
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) 
+or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+
+### Use as a CI/CD component
+
+Add the following to your `gitlab-ci.yml`:
 
 ```yaml
 include:
+  # 1: include the component
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+    # 2: set/override component inputs
+    inputs:
+      build-tool: buildah # ⚠ this is only an example
+```
+
+### Use as a CI/CD template (legacy)
+
+Add the following to your `gitlab-ci.yml`:
+
+```yaml
+include:
+  # 1: include the template
   - project: 'to-be-continuous/docker'
     ref: '5.7.1'
     file: '/templates/gitlab-ci-docker.yml'
+
+variables:
+  # 2: set/override template variables
+  DOCKER_BUILD_TOOL: buildah # ⚠ this is only an example
 ```
 
 ## Understanding the Docker template
@@ -33,19 +56,19 @@ select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see be
 
 The Docker template uses some global configuration used throughout all jobs.
 
-| Name                  | Description                            | Default value     |
+| Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
-| `DOCKER_BUILD_TOOL`   | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
-| `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
-| `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
-| `DOCKER_IMAGE`        | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest`  |
-| `DOCKER_DIND_IMAGE`   | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind`    |
-| `DOCKER_FILE`         | The path to your `Dockerfile`          | `./Dockerfile`    |
-| `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
+| `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
+| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
+| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
+| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest`  |
+| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind`    |
+| `file` / `DOCKER_FILE` | The path to your `Dockerfile`          | `Dockerfile`    |
+| `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
 
 In addition to this, the template supports _standard_ Linux proxy variables:
 
-| Name                  | Description                                 | Default value |
+| Input / Variable | Description                                 | Default value |
 | --------------------- | ------------------------------------------- | ------------- |
 | `http_proxy`          | Proxy used for http requests                | _none_        |
 | `https_proxy`         | Proxy used for https requests               | _none_        |
@@ -72,10 +95,10 @@ In practice:
 
 The **snapshot** and **release** images are defined by the following variables:
 
-| Name                      | Description           | Default value                                     |
+| Input / Variable | Description           | Default value                                     |
 | ------------------------- | --------------------- | ------------------------------------------------- |
-| `DOCKER_SNAPSHOT_IMAGE`   | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
-| `DOCKER_RELEASE_IMAGE`    | Docker release image  | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME`          |
+| `snapshot-image` / `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
+| `release-image` / `DOCKER_RELEASE_IMAGE` | Docker release image  | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME`          |
 
 As you can see, the Docker template is configured by default to use the GitLab container registry.
 You may perfectly override this and use another Docker registry, but be aware of a few things:
@@ -98,7 +121,7 @@ If you use the **same registry** for both snapshot and release images, you shall
 
 variables:
 
-| Name                             | Description                            |
+| Input / Variable | Description                            |
 | -------------------------------- | -------------------------------------- |
 | :lock: `DOCKER_REGISTRY_USER`    | Docker registry username for image registry |
 | :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry  |
@@ -107,7 +130,7 @@ variables:
 
 If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
 
-| Name                                     | Description                            |
+| Input / Variable | Description                            |
 | ---------------------------------------- | -------------------------------------- |
 | :lock: `DOCKER_REGISTRY_SNAPSHOT_USER`   | Docker registry username for snapshot image registry |
 | :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
@@ -128,9 +151,9 @@ If you are in one of those cases, you will need to use the `DOCKER_CONFIG_FILE`
 * leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below),
 * or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
 
-| Name                      | Description           | Default value                                     |
+| Input / Variable | Description           | Default value                                     |
 | ------------------------- | --------------------- | ------------------------------------------------- |
-| `DOCKER_CONFIG_FILE`      | Path to the Docker configuration file (JSON) | `.docker/config.json` |
+| `config-file` / `DOCKER_CONFIG_FILE` | Path to the Docker configuration file (JSON) | `.docker/config.json` |
 
 Moreover, this file supports **dynamic environment variables replacement**.
 That means it may contain references to other environment variables (in the format `${variable_name}`) that will be dynamically replaced
@@ -245,11 +268,11 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker
 
 It is bound to the `build` stage, and uses the following variables:
 
-| Name                       | Description                            | Default value                           |
+| Input / Variable | Description                            | Default value                           |
 | -------------------------- | -------------------------------------- | --------------------------------------- |
-| `DOCKER_HADOLINT_DISABLED`          | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
-| `DOCKER_HADOLINT_IMAGE`    | The Hadolint image                     | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`       |
-| `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | _(none)_                        |
+| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
+| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image                     | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`       |
+| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments        | _(none)_                        |
 
 In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
 
@@ -276,18 +299,18 @@ This job builds the image and publishes it to the _snapshot_ repository.
 
 It is bound to the `package-build` stage, and uses the following variables:
 
-| Name                               | Description                                                                                                                                                             | Default value                  |
+| Input / Variable | Description                                                                                                                                                             | Default value                  |
 | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
-| `DOCKER_BUILD_ARGS`                | Additional `docker/kaniko/buildah` `build` arguments                                                                                                                    | _(none)_                       |
-| `DOCKER_REGISTRY_MIRROR`           | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_                       |
-| `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only             | _(none)_                       |
-| `DOCKER_METADATA`                  | Additional `docker build`/`kaniko` arguments to set label                                                                                                               | OCI Image Format Specification |
-| `KANIKO_SNAPSHOT_IMAGE_CACHE`      | Snapshot image repository that will be used to store cached layers<br>:warning: Used by the `kaniko` build only                                                         | `${DOCKER_SNAPSHOT_IMAGE%:*}/cache` |
-| `DOCKER_BUILD_CACHE_DISABLED`      | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
+| `build-args` / `DOCKER_BUILD_ARGS` | Additional `docker/kaniko/buildah` `build` arguments                                                                                                                    | _(none)_                       |
+| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_                       |
+| `container-registries-config-file` / `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only             | _(none)_                       |
+| `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label                                                                                                               | OCI Image Format Specification |
+| `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers<br>:warning: Used by the `kaniko` build only                                                         | `${DOCKER_SNAPSHOT_IMAGE%:*}/cache` |
+| `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED`      | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
 
 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
 
-| Name                  | Description                                            | Example                                 |
+| Input / Variable | Description                                            | Example                                 |
 | --------------------- | ------------------------------------------------------ | --------------------------------------- |
 | `docker_image`        | snapshot image name **with tag**                       | `registry.gitlab.com/acme/website/snapshot:main` |
 | `docker_image_digest` | snapshot image name **with digest** (no tag)           | `registry.gitlab.com/acme/website/snapshot@sha256:b7914a91...` |
@@ -346,12 +369,12 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil
 
 It is bound to the `package-test` stage, and uses the following variables:
 
-| Name                                   | Description                                                          | Default value     |
+| Input / Variable | Description                                                          | Default value     |
 | -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
-| `DOCKER_HEALTHCHECK_DISABLED`          | Set to `true` to disable health check                                          | _(none: enabled by default)_ |
-| `DOCKER_HEALTHCHECK_TIMEOUT`           | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
-| `DOCKER_HEALTHCHECK_OPTIONS`           | Docker options for health check such as port mapping, environment... | _(none)_ |
-| `DOCKER_HEALTHCHECK_CONTAINER_ARGS`    | Set arguments sent to the running container for health check         | _(none)_ |
+| `healthcheck-disabled` / `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check                                          | _(none: enabled by default)_ |
+| `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
+| `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
+| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check         | _(none)_ |
 
 In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
 
@@ -373,13 +396,13 @@ variables:
 
 It is bound to the `package-test` stage, and uses the following variables:
 
-| Name                   | Description                            | Default value     |
+| Input / Variable | Description                            | Default value     |
 | ---------------------- | -------------------------------------- | ----------------- |
-| `DOCKER_TRIVY_IMAGE`   | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |
-| `DOCKER_TRIVY_ADDR`    | The Trivy server address (for client/server mode)              | _(none: standalone mode)_  |
-| `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
-| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |
-| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
+| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |
+| `trivy-addr` / `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode)              | _(none: standalone mode)_  |
+| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
+| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis          | _(none)_ |
+| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
 
 In addition to a textual report in the console, this job produces the following reports, kept for one day:
 
@@ -394,28 +417,28 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing installed packa
 
 It is bound to the `package-test` stage, and uses the following variables:
 
-| Name                  | description                            | default value     |
+| Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
-| `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
-| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
-| `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
+| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger` |
 
 ### `docker-publish` job
 
 This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
 
-| Name                  | Description                                                                 | Default value     |
+| Input / Variable | Description                                                                 | Default value     |
 | --------------------- | --------------------------------------------------------------------------- | ----------------- |
-| `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
-| `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_          |
-| `DOCKER_PROD_PUBLISH_STRATEGY`| Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
-| `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
-| `DOCKER_RELEASE_EXTRA_TAGS`   | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags))       | _(none)_          |
-| `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
+| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
+| `publish-args` / `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_          |
+| `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
+| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
+| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags))       | _(none)_          |
+| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
 
 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
 
-| Name                  | Description                                           | Example                                 |
+| Input / Variable | Description                                           | Example                                 |
 | --------------------- | ----------------------------------------------------- | --------------------------------------- |
 | `docker_image`        | release image name **with tag**                       | `registry.gitlab.com/acme/website:main` |
 | `docker_image_digest` | release image name **with digest** (no tag)           | `registry.gitlab.com/acme/website@sha256:b7914a91...` |
@@ -504,14 +527,11 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
 
 ```yaml
 include:
-  - project: 'to-be-continuous/docker'
-    ref: '5.7.1'
-    file: '/templates/gitlab-ci-docker.yml'
-
-variables:
-  DOCKER_SNAPSHOT_IMAGE: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
-  DOCKER_RELEASE_IMAGE: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
-  # $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASSWORD are defined as secret GitLab variables
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+    inputs:
+      snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
+      release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
+      # $DOCKER_REGISTRY_USER and $DOCKER_REGISTRY_PASSWORD are defined as secret GitLab variables
 ```
 
 Depending on the Docker registry you're using, you may have to use a real password or generate a token as authentication credential.
@@ -522,12 +542,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
 
 ```yaml
 include:
-  - project: 'to-be-continuous/docker'
-    ref: '5.7.1'
-    file: '/templates/gitlab-ci-docker.yml'
-
-variables:
-  DOCKER_DIND_BUILD: "true"
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
 
 .docker-base:
   parallel:
@@ -552,11 +567,11 @@ This variant allows delegating your secrets management to a [Vault](https://www.
 
 In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
 
-| Name              | Description                            | Default value     |
+| Input / Variable  | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
 | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
-| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
-| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |
+| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
 
@@ -570,7 +585,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
 
 With:
 
-| Name                             | Description                            |
+| Parameter                        | Description                            |
 | -------------------------------- | -------------------------------------- |
 | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
 | `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
@@ -580,24 +595,21 @@ With:
 ```yaml
 include:
   # main template
-  - project: 'to-be-continuous/docker'
-    ref: '5.7.1'
-    file: '/templates/gitlab-ci-docker.yml'
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
   # Vault variant
-  - project: 'to-be-continuous/docker'
-    ref: '5.7.1'
-    file: '/templates/gitlab-ci-docker-vault.yml'
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
+    inputs:
+      # audience claim for JWT
+      vault-oidc-aud: "https://vault.acme.host"
+      vault-base-url: "https://vault.acme.host/v1"
+      # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
 
 variables:
-    # audience claim for JWT
-    VAULT_OIDC_AUD: "https://vault.acme.host"
-    # Secrets managed by Vault
-    DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"
-    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"
-    DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user"
-    DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token"
-    VAULT_BASE_URL: "https://vault.acme.host/v1"
-    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
+  # Secrets managed by Vault
+  DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"
+  DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"
+  DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user"
+  DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token"
 ```
 
 ### Google Cloud variant
@@ -614,15 +626,16 @@ List of requirements before using this variant for publishing your container ima
 
 #### Configuration
 
-| Name                     | description                            | default value     |
+| Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
 | `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main` |
-| `GCP_OIDC_PROVIDER`      | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
-| `GCP_OIDC_ACCOUNT`       | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
-| `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define if different from default)_ | _none_ |
-| `GCP_SNAPSHOT_OIDC_ACCOUNT`  | Service Account to use to push the snapshot image _(only define if different from default)_ | _none_ |
-| `GCP_RELEASE_OIDC_PROVIDER`  | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ |
-| `GCP_RELEASE_OIDC_ACCOUNT`   | Service Account to use to push the release image _(only define if different from default)_ | _none_ |
+| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |
+| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
+| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
+| `gcp-snapshot-oidc-provider` / `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define to override default)_ | _none_ |
+| `gcp-snapshot-oidc-account` / `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define to override default)_ | _none_ |
+| `gcp-release-oidc-provider` / `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define to override default)_ | _none_ |
+| `gcp-release-oidc-account` / `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define to override default)_ | _none_ |
 
 :warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
 to use the snapshot image repository (will host your snapshot image as well as cached layers).
@@ -631,28 +644,24 @@ to use the snapshot image repository (will host your snapshot image as well as c
 
 ```yaml
 include:
-  - project: 'to-be-continuous/docker'
-    ref: "5.2.0"
-    file: '/templates/gitlab-ci-docker.yml'
-  - project: 'to-be-continuous/docker'
-    ref: "5.2.0"
-    file: '/templates/gitlab-ci-docker-gcp.yml'
-
-variables:
-  # untested & unverified container image
-  DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"
-  # ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
-  # validated container image (published)
-  DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
-  # default WIF provider
-  GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
-  # default GCP Service Account
-  GCP_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
-  # WIF provider for snapshot images
-  GCP_SNAPSHOT_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
-  # GCP Service Account for snapshot images
-  GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
-  DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+    inputs:
+      build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
+      # untested & unverified container image
+      snapshot-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"
+      # ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
+      # validated container image (published)
+      release-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-gcp@5.7.0
+    inputs:
+      # default WIF provider
+      gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
+      # default GCP Service Account
+      gcp-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
+      # WIF provider for snapshot images
+      gcp-snapshot-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
+      # GCP Service Account for snapshot images
+      gcp-snapshot-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
 ```
 
 ### Amazon Elastic Container Registry
@@ -671,12 +680,12 @@ In order to use the AWS APIs, the variant supports two authentication methods:
 
 #### Configuration
 
-| Name                     | description                            | default value     |
+| Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
 | `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master` |
-| `AWS_REGION`             | Default region (where the ECR registry is located) | _none_ |
-| `AWS_SNAPSHOT_REGION`    | Region of the ECR registry for the snapshot image _(only define if different from default)_ | _none_ |
-| `AWS_RELEASE_REGION`     | Region of the ECR registry for the release image _(only define if different from default)_ | _none_ |
+| `aws-region` / `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
+| `aws-snapshot-region` / `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define to override default)_ | _none_ |
+| `aws-release-region` / `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define to override default)_ | _none_ |
 
 :warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
 to use the snapshot image repository (will host your snapshot image as well as cached layers).
@@ -686,42 +695,38 @@ to use the snapshot image repository (will host your snapshot image as well as c
 This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
 then set the required configuration.
 
-| Name                     | description                            | default value     |
+| Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
-| `AWS_OIDC_AUD`           | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |
-| `AWS_OIDC_ROLE_ARN`      | Default IAM Role ARN associated with GitLab | _none_ |
-| `AWS_SNAPSHOT_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the snapshot image _(only define if different from default)_| _none_ |
-| `AWS_RELEASE_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the release image _(only define if different from default)_| _none_ |
+| `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |
+| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ |
+| `aws-snapshot-oidc-role-arn` / `AWS_SNAPSHOT_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the snapshot image _(only define to override default)_| _none_ |
+| `aws-release-oidc-role-arn` / `AWS_RELEASE_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab for the release image _(only define to override default)_| _none_ |
 
 ##### Basic authentication config
 
-| Name                     | description                            | default value     |
+| Variable                 | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
 | `AWS_ACCESS_KEY_ID`      | Default access key ID | _none_ (disabled) |
 | `AWS_SECRET_ACCESS_KEY`  | Default secret access key | _none_ (disabled) |
-| `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define if different from default)_ | _none_ |
-| `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define if different from default)_ | _none_ |
-| `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define if different from default)_ | _none_ |
-| `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define if different from default)_ | _none_ |
+| `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define to override default)_ | _none_ |
+| `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define to override default)_ | _none_ |
+| `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define to override default)_ | _none_ |
+| `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define to override default)_ | _none_ |
 
 #### Example
 
 ```yaml
 include:
-  - project: 'to-be-continuous/docker'
-    ref: "5.2.0"
-    file: '/templates/gitlab-ci-docker.yml'
-  - project: 'to-be-continuous/docker'
-    ref: "5.2.0"
-    file: '/templates/gitlab-ci-docker-ecr.yml'
-
-variables:
-  AWS_REGION: "us-east-1"
-  # untested & unverified container image
-  DOCKER_SNAPSHOT_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG"
-  # ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
-  # validated container image (published)
-  DOCKER_RELEASE_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"
-  # default Role ARN (using OIDC authentication method)
-  AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/gitlab-ci"
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.7.0
+    inputs:
+      # untested & unverified container image
+      snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG"
+      # ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
+      # validated container image (published)
+      release-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker-ecr@5.7.0
+    inputs:
+      # default Role ARN (using OIDC authentication method)
+      aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"
+      aws-region: "us-east-1"
 ```
diff --git a/bumpversion.sh b/bumpversion.sh
index f06829a406ca8da98e570e8ad7d8bb22367b668d..ed44d7b68b0e09f6d2cf557f7a15e52553246341 100755
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
   log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
 
   # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
   mv -f README.md.next README.md
 
   # replace in template and variants
   for tmpl in templates/*.yml
   do
-    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
     mv -f "$tmpl.next" "$tmpl"
   done
 else
diff --git a/kicker.json b/kicker.json
index 39dccad03da3b65e8c74b0360c9dfc47a1e6adbc..6e6243326ab6c83b822150b3524e4b1d9bcaaf46 100644
--- a/kicker.json
+++ b/kicker.json
@@ -3,6 +3,8 @@
   "description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
   "template_path": "templates/gitlab-ci-docker.yml",
   "kind": "package",
+  "prefix": "docker",
+  "is_component": true,
   "variables": [
     {
       "name": "DOCKER_BUILD_TOOL",
@@ -39,7 +41,7 @@
     {
       "name": "DOCKER_FILE",
       "description": "The path to your `Dockerfile`",
-      "default": "$CI_PROJECT_DIR/Dockerfile"
+      "default": "Dockerfile"
     },
     {
       "name": "DOCKER_CONTEXT_PATH",
@@ -265,6 +267,12 @@
           "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
           "advanced": true
         },
+        {
+          "name": "GCP_OIDC_AUD",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "default": "$CI_SERVER_URL",
+          "advanced": true
+        },
         {
           "name": "GCP_OIDC_ACCOUNT",
           "description": "Default Service Account to which impersonate with OpenID Connect authentication"
@@ -275,22 +283,22 @@
         },
         {
           "name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
-          "description": "Service Account to use to push the snapshot image _(only define if different from default)_",
+          "description": "Service Account to use to push the snapshot image _(only define to override default)_",
           "advanced": true
         },
         {
           "name": "GCP_SNAPSHOT_OIDC_PROVIDER",
-          "description": "Workload Identity Provider to push the snapshot image _(only define if different from default)_",
+          "description": "Workload Identity Provider to push the snapshot image _(only define to override default)_",
           "advanced": true
         },
         {
           "name": "GCP_RELEASE_OIDC_ACCOUNT",
-          "description": "Service Account to use to push the release image _(only define if different from default)_",
+          "description": "Service Account to use to push the release image _(only define to override default)_",
           "advanced": true
         },
         {
           "name": "GCP_RELEASE_OIDC_PROVIDER",
-          "description": "Workload Identity Provider to push the release image _(only define if different from default)_",
+          "description": "Workload Identity Provider to push the release image _(only define to override default)_",
           "advanced": true
         }
       ]
@@ -313,12 +321,12 @@
         },
         {
           "name": "AWS_SNAPSHOT_REGION",
-          "description": "Region of the ECR registry for the snapshot image _(only define if different from default)_",
+          "description": "Region of the ECR registry for the snapshot image _(only define to override default)_",
           "advanced": true
         },
         {
           "name": "AWS_RELEASE_REGION",
-          "description": "Region of the ECR registry for the release image _(only define if different from default)_",
+          "description": "Region of the ECR registry for the release image _(only define to override default)_",
           "advanced": true
         },
         {
diff --git a/logo.png b/logo.png
index 4b836a451211a05f853691ef34bd3cf879979970..fd1e2cff1ab094be66f5943aa631bb5e5558d2c6 100644
Binary files a/logo.png and b/logo.png differ
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index 25df3b401f18f82c87b026123665730a5e55d7e0..7c52540fcfe5b5f1353f5cafa5d26ef1a00a8184 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -1,9 +1,46 @@
 # =====================================================================================================================
 # === AWS Auth template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    aws-region:
+      description: Default region (where the ECR registry is located)
+      default: ''
+    aws-snapshot-region:
+      description: Region of the ECR registry for the snapshot image _(only define if
+        different from default)_
+      default: ''
+    aws-release-region:
+      description: Region of the ECR registry for the release image _(only define if
+        different from default)_
+      default: ''
+    aws-oidc-aud:
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: $CI_SERVER_URL
+    aws-oidc-role-arn:
+      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
+        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: ''
+    aws-snapshot-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab for the snapshot image _(only
+        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        and if different from default)_
+      default: ''
+    aws-release-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab for the release image _(only
+        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        and if different from default)_
+      default: ''
+---
 variables:
-  TBC_AWS_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master"
-  AWS_OIDC_AUD: "$CI_SERVER_URL"
+  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master
+  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
+  AWS_REGION: $[[ inputs.aws-region ]]
+  AWS_SNAPSHOT_REGION: $[[ inputs.aws-snapshot-region ]]
+  AWS_RELEASE_REGION: $[[ inputs.aws-release-region ]]
+  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
+  AWS_SNAPSHOT_OIDC_ROLE_ARN: $[[ inputs.aws-snapshot-oidc-role-arn ]]
+  AWS_RELEASE_OIDC_ROLE_ARN: $[[ inputs.aws-release-oidc-role-arn ]]
 
 .docker-base:
   services:
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 4c722f73c86c4df7a917fa2201222b5ddeec0ec6..8162d6d9bc840da701908d89e3b7189478970c3f 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -1,10 +1,46 @@
 # =====================================================================================================================
 # === GCP Auth template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    gcp-oidc-aud:
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: $CI_SERVER_URL
+    gcp-oidc-account:
+      description: Default Service Account to which impersonate with OpenID Connect
+        authentication
+      default: ''
+    gcp-oidc-provider:
+      description: Default Workload Identity Provider associated with GitLab to [authenticate
+        with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      default: ''
+    gcp-snapshot-oidc-account:
+      description: Service Account to use to push the snapshot image _(only define if
+        different from default)_
+      default: ''
+    gcp-snapshot-oidc-provider:
+      description: Workload Identity Provider to push the snapshot image _(only define
+        if different from default)_
+      default: ''
+    gcp-release-oidc-account:
+      description: Service Account to use to push the release image _(only define if
+        different from default)_
+      default: ''
+    gcp-release-oidc-provider:
+      description: Workload Identity Provider to push the release image _(only define
+        if different from default)_
+      default: ''
+---
 variables:
-  TBC_GCP_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main"
-  GCP_OIDC_AUD: "$CI_SERVER_URL"
-
+  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main
+  GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
+  GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
+  GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
+  GCP_SNAPSHOT_OIDC_ACCOUNT: $[[ inputs.gcp-snapshot-oidc-account ]]
+  GCP_SNAPSHOT_OIDC_PROVIDER: $[[ inputs.gcp-snapshot-oidc-provider ]]
+  GCP_RELEASE_OIDC_ACCOUNT: $[[ inputs.gcp-release-oidc-account ]]
+  GCP_RELEASE_OIDC_PROVIDER: $[[ inputs.gcp-release-oidc-provider ]]
+  
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 79ed9e26c697829a841b63c7a3c927db4c3e850f..3c65ee46b3d1141b1862b4769c76530bbb95b9e4 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -1,13 +1,23 @@
 # =====================================================================================================================
 # === Vault template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    vault-base-url:
+      description: The Vault server base API url
+      default: ''
+    vault-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+---
 variables:
   # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master"
+  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
+  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
-  VAULT_OIDC_AUD: "$CI_SERVER_URL"
+  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
 
 .docker-base:
   services:
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index e9f76377c5b63496437d8673f3a01adc2bdc821f..0fcb3b036ba24f97ae1012d2431aade2ce27587d 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -13,6 +13,183 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+spec:
+  inputs:
+    build-tool:
+      description: The build tool to use for building container image
+      options:
+      - kaniko
+      - buildah
+      - dind
+      default: kaniko
+    kaniko-image:
+      description: |-
+        The image used to run kaniko
+
+        _for kaniko build only_
+      default: gcr.io/kaniko-project/executor:debug
+    buildah-image:
+      description: |-
+        The image used to run buildah
+
+        _for buildah build only_
+      default: quay.io/buildah/stable:latest
+    image:
+      description: |-
+        The image used to run the docker client
+
+        _for Docker-in-Docker(dind) build only_
+      default: registry.hub.docker.com/library/docker:latest
+    dind-image:
+      description: |-
+        The image used to run the Docker daemon
+
+        _for Docker-in-Docker(dind) build only_
+      default: registry.hub.docker.com/library/docker:dind
+    skopeo-image:
+      description: The image used to publish docker image with Skopeo
+      default: quay.io/skopeo/stable:latest
+    file:
+      description: The path to your `Dockerfile`
+      default: Dockerfile
+    context-path:
+      description: The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) - _only set if you want a context path different from the Dockerfile location_
+      default: ''
+    config-file:
+      description: Path to the [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) (JSON)
+      default: .docker/config.json
+    snapshot-image:
+      description: Docker snapshot image
+      default: $CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG
+    release-image:
+      description: Docker release image
+      default: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+    release-extra-tags-pattern:
+      description: |-
+        Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups)
+
+        Defaults to [SemVer](https://semver.org/) pattern.
+      default: ^v?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\.]+)?(?P<build>\+[0-9A-Za-z-\.]+)?)$
+    release-extra-tags:
+      description: |-
+        Defines extra tags to publish the _release_ image
+
+        Supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` (ex: `latest \g<major>.\g<minor> \g<major>`)
+      default: ''
+    build-args:
+      description: Additional docker/kaniko/buildah build arguments
+      default: ''
+    build-cache-disabled:
+      description: Disable the build cache
+      type: boolean
+      default: false
+    metadata:
+      description: Additional metadata to set as labels
+      default: >-
+        --label org.opencontainers.image.url=${CI_PROJECT_URL}
+        --label org.opencontainers.image.source=${CI_PROJECT_URL}
+        --label org.opencontainers.image.title=${CI_PROJECT_PATH}
+        --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
+        --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
+        --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+    publish-args:
+      description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
+      default: ''
+    prod-publish-strategy:
+      description: Defines the publish to production strategy.
+      options:
+      - none
+      - manual
+      - auto
+      default: manual
+    semrel-release-disabled:
+      description: Disable integration with the [semantic release template](https://gitlab.com/to-be-continuous/semantic-release/)
+      type: boolean
+      default: false
+    registry-mirror:
+      description: |-
+        URL of a Docker registry mirror to use instead of default `https://index.docker.io`
+
+        _Used by `kaniko` and `dind` builds only_
+      default: ''
+    container-registries-config-file:
+      description: |-
+        The [registries.conf](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used
+
+        _Used by the `buildah` build only_
+      default: ''
+    kaniko-snapshot-image-cache:
+      description: |-
+        Snapshot image repository that will be used to store cached layers.
+
+        _Used by the `kaniko` build only_
+      default: ${DOCKER_SNAPSHOT_IMAGE%:*}/cache
+    lint-enabled:
+      description: Enable dockerfile-lint
+      type: boolean
+      default: false
+    lint-image:
+      description: The docker image to lint your Dockerfile
+      default: registry.hub.docker.com/projectatomic/dockerfile-lint:latest
+    lint-args:
+      description: Additional `dockerfile_lint` arguments
+      default: ''
+    hadolint-disabled:
+      description: Disable Hadolint
+      type: boolean
+      default: false
+    hadolint-image:
+      description: The docker image to lint your Dockerfile with Hadolint
+      default: registry.hub.docker.com/hadolint/hadolint:latest-alpine
+    hadolint-args:
+      description: Additional `hadolint` arguments
+      default: ''
+    healthcheck-disabled:
+      description: Disable Health Check
+      type: boolean
+      default: false
+    healthcheck-timeout:
+      description: When testing an image, how long (in seconds) wait for the HealthCheck status
+      type: number
+      default: 60
+    healthcheck-options:
+      description: Docker options for health check such as port mapping, environment...
+      default: ''
+    healthcheck-container-args:
+      description: Arguments sent to the running container for health check
+      default: ''
+    trivy-disabled:
+      description: Disable Trivy
+      type: boolean
+      default: false
+    trivy-image:
+      description: The docker image used to scan images with Trivy
+      default: registry.hub.docker.com/aquasec/trivy:latest
+    trivy-addr:
+      description: The Trivy server address
+      default: ''
+    trivy-security-level-threshold:
+      description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
+      options:
+      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+      - LOW,MEDIUM,HIGH,CRITICAL
+      - MEDIUM,HIGH,CRITICAL
+      - HIGH,CRITICAL
+      - CRITICAL
+      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    trivy-args:
+      description: Additional `trivy client` arguments
+      default: --ignore-unfixed --vuln-type os --exit-on-eol 1
+    sbom-disabled:
+      description: Disable Software Bill of Materials
+      type: boolean
+      default: false
+    sbom-image:
+      default: registry.hub.docker.com/anchore/syft:debug
+    sbom-opts:
+      description: Options for syft used for SBOM analysis
+      default: --catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger
+---
 # default workflow rules: Merge Request pipelines
 workflow:
   rules:
@@ -57,40 +234,36 @@ workflow:
 
 variables:
   # variabilized tracking image
-  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
+  TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
+  DOCKER_LINT_IMAGE: $[[ inputs.lint-image ]]
+  DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
+  DOCKER_IMAGE: $[[ inputs.image ]]
+  DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
+  DOCKER_KANIKO_IMAGE: $[[ inputs.kaniko-image ]]
+  DOCKER_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
+  DOCKER_BUILDAH_IMAGE: $[[ inputs.buildah-image ]]
 
-  DOCKER_HADOLINT_IMAGE: "registry.hub.docker.com/hadolint/hadolint:latest-alpine"
-  DOCKER_IMAGE: "registry.hub.docker.com/library/docker:latest"
-  DOCKER_DIND_IMAGE: "registry.hub.docker.com/library/docker:dind"
-  DOCKER_KANIKO_IMAGE: "gcr.io/kaniko-project/executor:debug"
-  DOCKER_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
-  DOCKER_BUILDAH_IMAGE: "quay.io/buildah/stable:latest"
-
-  # for retro-compatibility (deprecated & undocumented)
-  DOCKER_DOCKERFILE_PATH: "."
-  DOCKER_FILE: "$DOCKER_DOCKERFILE_PATH/Dockerfile"
-  DOCKER_CONFIG_FILE: ".docker/config.json"
+  DOCKER_FILE: $[[ inputs.file ]]
+  DOCKER_CONFIG_FILE: $[[ inputs.config-file ]]
 
   # When testing a Docker Health (test stage), how long (in seconds) wait for the HealthCheck status (https://docs.docker.com/engine/reference/builder/#healthcheck)
-  DOCKER_HEALTHCHECK_TIMEOUT: "60"
+  DOCKER_HEALTHCHECK_TIMEOUT: $[[ inputs.healthcheck-timeout ]]
 
   # Default Docker config uses the internal GitLab registry
-  DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
-  DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
-
-  DOCKER_KANIKO_VERBOSITY: "info"
+  DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
+  DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
 
-  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-  DOCKER_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
-  DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os --exit-on-eol 1"
+  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
+  DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+  DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
 
   # SBOM genenration image and arguments
-  DOCKER_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
-  DOCKER_SBOM_OPTS: "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger"
+  DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
+  DOCKER_SBOM_OPTS: $[[ inputs.sbom-opts ]]
 
   # default: one-click publish
-  DOCKER_PROD_PUBLISH_STRATEGY: manual
-  DOCKER_RELEASE_EXTRA_TAGS_PATTERN: "^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$"
+  DOCKER_PROD_PUBLISH_STRATEGY: $[[ inputs.prod-publish-strategy ]]
+  DOCKER_RELEASE_EXTRA_TAGS_PATTERN: $[[ inputs.release-extra-tags-pattern ]]
 
   # default production ref name (pattern)
   PROD_REF: '/^(master|main)$/'
@@ -98,22 +271,30 @@ variables:
   INTEG_REF: '/^develop$/'
 
   # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
-  DOCKER_METADATA: >-
-    --label org.opencontainers.image.url=${CI_PROJECT_URL}
-    --label org.opencontainers.image.source=${CI_PROJECT_URL}
-    --label org.opencontainers.image.title=${CI_PROJECT_PATH}
-    --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
-    --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
-    --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+  DOCKER_METADATA: $[[ inputs.metadata ]]
 
   # default to kaniko, possible options : kaniko|buildah|dind
-  DOCKER_BUILD_TOOL:
-    value: "kaniko"
-    options:
-      - "kaniko"
-      - "buildah"
-      - "dind"
-    description: "The build tool to use for building container image"
+  DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]
+
+  DOCKER_CONTEXT_PATH: $[[ inputs.context-path ]]
+  DOCKER_RELEASE_EXTRA_TAGS: $[[ inputs.release-extra-tags ]]
+  DOCKER_BUILD_ARGS: $[[ inputs.build-args ]]
+  DOCKER_BUILD_CACHE_DISABLED: $[[ inputs.build-cache-disabled ]]
+  DOCKER_PUBLISH_ARGS: $[[ inputs.publish-args ]]
+  DOCKER_SEMREL_RELEASE_DISABLED: $[[ inputs.semrel-release-disabled ]]
+  DOCKER_REGISTRY_MIRROR: $[[ inputs.registry-mirror ]]
+  CONTAINER_REGISTRIES_CONFIG_FILE: $[[ inputs.container-registries-config-file ]]
+  KANIKO_SNAPSHOT_IMAGE_CACHE: $[[ inputs.kaniko-snapshot-image-cache ]]
+  DOCKER_LINT_ENABLED: $[[ inputs.lint-enabled ]]
+  DOCKER_LINT_ARGS: $[[ inputs.lint-args ]]
+  DOCKER_HADOLINT_DISABLED: $[[ inputs.hadolint-disabled ]]
+  DOCKER_HADOLINT_ARGS: $[[ inputs.hadolint-args ]]
+  DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
+  DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
+  DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
+  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
+  DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
+  DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
 
 # ==================================================
 # Stages definition
@@ -438,9 +619,9 @@ stages:
       kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")"
     fi
     log_info "Build & deploy image $docker_image"
-    log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
+    log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
     # shellcheck disable=SC2086
-    /kaniko/executor --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
+    /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
   }
 
   # Used by containers tools like buildah, skopeo.