diff --git a/README.md b/README.md
index 3bd381408ef69a3401bba31cac3798d9e116f510..40fdfd86156b9e97075012293eb63a781d8ffbaa 100644
--- a/README.md
+++ b/README.md
@@ -554,7 +554,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 
 | Name              | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
-| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
 | `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
@@ -616,7 +616,7 @@ List of requirements before using this variant for publishing your container ima
 
 | Name                     | description                            | default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main` |
+| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main` |
 | `GCP_OIDC_PROVIDER`      | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
 | `GCP_OIDC_ACCOUNT`       | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
 | `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define if different from default)_ | _none_ |
@@ -673,7 +673,7 @@ In order to use the AWS APIs, the variant supports two authentication methods:
 
 | Name                     | description                            | default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
-| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master` |
+| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master` |
 | `AWS_REGION`             | Default region (where the ECR registry is located) | _none_ |
 | `AWS_SNAPSHOT_REGION`    | Region of the ECR registry for the snapshot image _(only define if different from default)_ | _none_ |
 | `AWS_RELEASE_REGION`     | Region of the ECR registry for the release image _(only define if different from default)_ | _none_ |
diff --git a/kicker.json b/kicker.json
index ca9976a933916e21b3e00c729c32119f84392531..3f43e3012a977403fe72037112626e8556de41ac 100644
--- a/kicker.json
+++ b/kicker.json
@@ -226,7 +226,7 @@
         {
           "name": "TBC_VAULT_IMAGE",
           "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
-          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
+          "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
           "advanced": true
         },
         {
@@ -262,7 +262,7 @@
         {
           "name": "TBC_GCP_PROVIDER_IMAGE",
           "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",
-          "default": "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main",
+          "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
           "advanced": true
         },
         {
@@ -304,7 +304,7 @@
         {
           "name": "TBC_AWS_PROVIDER_IMAGE",
           "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
-          "default": "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master",
+          "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master",
           "advanced": true
         },
         {
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index 7d9ee1c981bff10af4dbaec38e3038f13231ebfd..62b42d2375ac82fe4bd0b0db709a6ac6a8f75239 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -2,7 +2,7 @@
 # === AWS Auth template variant
 # =====================================================================================================================
 variables:
-  TBC_AWS_PROVIDER_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master"
+  TBC_AWS_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master"
   AWS_OIDC_AUD: "$CI_SERVER_URL"
 
 .docker-base:
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 59f3c2a29db1b1dfc57a4698d244a2545cec24c7..e81d0b39d053212ad704c0642969df202b316666 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -2,7 +2,7 @@
 # === GCP Auth template variant
 # =====================================================================================================================
 variables:
-  TBC_GCP_PROVIDER_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main"
+  TBC_GCP_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main"
   GCP_OIDC_AUD: "$CI_SERVER_URL"
 
 .docker-base:
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 6ed67228358e3b3200dbc45bb9408a5ccda35726..9328c9b9e95bf3b6ae9431087c82943d896a3a0d 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -3,7 +3,7 @@
 # =====================================================================================================================
 variables:
   # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+  TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master"
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index fe3a16a03d60a63ed05fc0b43f718364c0ca74d1..a2ccd479010ba392fa9e9bd1186cecddd0413ee3 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -57,7 +57,7 @@ workflow:
 
 variables:
   # variabilized tracking image
-  TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
+  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
 
   DOCKER_HADOLINT_IMAGE: "registry.hub.docker.com/hadolint/hadolint:latest-alpine"
   DOCKER_IMAGE: "registry.hub.docker.com/library/docker:latest"