diff --git a/README.md b/README.md
index e0e3d378d611ac9b3fb0380eb2e771bd0afd1d1d..52f02d2289ba8449485c736e9f453077e66b4bb9 100644
--- a/README.md
+++ b/README.md
@@ -257,7 +257,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GO_SBOM_DISABLED` takes precedence | `onrelease` |
-| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_SBOM_IMAGE) |
+| `sbom-image` / `GO_SBOM_IMAGE` | Specific Docker image used to run cyclonedx-gomod | `$GO_IMAGE` |
 | `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
 
 :warning: if you don't have your main class located at the root of your `GO_PROJECT_DIR`, then you will need to override the `-main` option in `GO_SBOM_OPTS` and define your real main class location.
diff --git a/kicker.json b/kicker.json
index 1a592ce9389dfe8bdd5639a2ef02a5df55585be2..09beaf7bf3aa35af460370159813af47ae468dd0 100644
--- a/kicker.json
+++ b/kicker.json
@@ -150,7 +150,9 @@
         },
         {
           "name": "GO_SBOM_IMAGE",
-          "default": "registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest"
+          "description": "Specific Docker image used to run cyclonedx-gomod",
+          "advanced": true,
+          "default": "$GO_IMAGE"
         },
         {
           "name": "GO_SBOM_OPTS",
diff --git a/templates/gitlab-ci-golang.yml b/templates/gitlab-ci-golang.yml
index a441e642dd6d1b9ea3ff665dc783ecbb3248c5ba..94dbee44c17140e1a7f9c56939e6ee17f5c81e0c 100644
--- a/templates/gitlab-ci-golang.yml
+++ b/templates/gitlab-ci-golang.yml
@@ -109,7 +109,8 @@ spec:
       type: boolean
       default: false
     sbom-image:
-      default: registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest
+      description: Specific Docker image used to run cyclonedx-gomod
+      default: '$GO_IMAGE'
     sbom-opts:
       description: '[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis'
       default: -main .
@@ -807,7 +808,7 @@ go-sbom:
   image:
     name: $GO_SBOM_IMAGE
     entrypoint: [""]
-  # manage separate GitLab cache to prevent permission denied error (this image being rootless, it can't rewrite Go cache - owned by root)
+  # manage separate GitLab cache to prevent permission denied error (cyclonedx-gomod image being rootless, it can't rewrite Go cache - owned by root)
   # see: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29663
   cache:
     key: "$CI_COMMIT_REF_SLUG-golang-sbom"
@@ -817,10 +818,10 @@ go-sbom:
   dependencies: []
   needs: []
   script:
+    - command -v cyclonedx-gomod > /dev/null || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
     - mkdir -p -m 777 reports
     - go_mode=$(go_build_mode)
-    - |
-      cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
+    - cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
     - chmod a+r reports/go-sbom.cyclonedx.json
   artifacts:
     name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"