diff --git a/README.md b/README.md
index 4d6ca3c2fbead1f63c57c0e6306b7851c5cbed9a..436228e827d1707ccc14817dccb0d0ee0da5a9b0 100644
--- a/README.md
+++ b/README.md
@@ -273,6 +273,7 @@ It is bound to the `build` stage, and uses the following variables:
 | `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
 | `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image                     | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`       |
 | `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments        | _(none)_                        |
+| `hadolint-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
 
@@ -307,6 +308,9 @@ It is bound to the `package-build` stage, and uses the following variables:
 | `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label                                                                                                               | OCI Image Format Specification |
 | `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
 | `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED`      | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
+| `kaniko-build-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
+| `dind-build-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
+| `buildah-build-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
 
@@ -375,6 +379,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
 | `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
 | `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check         | _(none)_ |
+| `healthcheck-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
 
@@ -405,6 +410,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
 | `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
 | `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
+| `docker-trivy-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 In addition to a textual report in the console, this job produces the following reports, kept for one day:
 
@@ -424,6 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
 | `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `docker-sbom-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 ### `docker-publish` job
 
@@ -437,6 +444,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
 | `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
 | `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags))       | _(none)_          |
 | `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
+| `docker-publish-job-tags` /  | Tags to be used for selecting runners for the job | `[]`            |
 
 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
 
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 3bd7401c5ca2890e42c6d5945aa7bb9a7aafa40b..4b154ee6920ddba8b6dd2d08d334773d57268da0 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -205,16 +205,16 @@ spec:
       description: tags to filter applicable runners for healthcheck job
       type: array
       default: []
-    trivy-job-tags:
-      description: tags to filter applicable runners for trivy job
+    docker-trivy-job-tags:
+      description: tags to filter applicable runners for docker-trivy job
       type: array
       default: []
-    sbom-job-tags:
-      description: tags to filter applicable runners for sbom job
+    docker-sbom-job-tags:
+      description: tags to filter applicable runners for docker-sbom job
       type: array
       default: []
-    publish-job-tags:
-      description: tags to filter applicable runners for publish job
+    docker-publish-job-tags:
+      description: tags to filter applicable runners for docker-publish job
       type: array
       default: []
 
@@ -1006,7 +1006,7 @@ docker-trivy:
     - if: '$DOCKER_TRIVY_DISABLED == "true"'
       when: never
     - !reference [.test-policy, rules]
-  tags: $[[ inputs.trivy-job-tags ]]
+  tags: $[[ inputs.docker-trivy-job-tags ]]
 
 docker-sbom:
   extends: .docker-base
@@ -1033,7 +1033,7 @@ docker-sbom:
     - if: '$DOCKER_SBOM_DISABLED == "true"'
       when: never
     - !reference [.test-policy, rules]
-  tags: $[[ inputs.sbom-job-tags ]]
+  tags: $[[ inputs.docker-sbom-job-tags ]]
 
 # ==================================================
 # Stage: publish
@@ -1105,4 +1105,4 @@ docker-publish:
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
       when: manual
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
-  tags: $[[ inputs.publish-job-tags ]]
\ No newline at end of file
+  tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file