diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml
index 9b1005e01287ef9c8d07a875a3b1bfd011ef7d64..b4ae879bfb35140de9e59ba3a253b471345053e3 100644
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -13,6 +13,14 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+# default workflow rules
+workflow:
+  rules:
+    # exclude merge requests
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    - when: always
+
 variables:
   # variabilized tracking image
   TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
@@ -202,9 +210,6 @@ gitleaks:
     paths:
       - gitleaks/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # on production and integration branch(es)
     - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'
 
@@ -216,9 +221,6 @@ gitleaks-quick:
   script:
     - gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # only on non-production, non-integration branches
     - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
       allow_failure: true