diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md
index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist
 
 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
     * [ ] untagged runners
     * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
diff --git a/CHANGELOG.md b/CHANGELOG.md
index da003ae5ebd29d25cee85c177f042efbc0c65d37..4aa14b1cd4d02f237328260e04686b8c1d445334 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,11 @@
-# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.2.4...4.3.0) (2025-01-29)
+## [4.3.1](https://gitlab.com/to-be-continuous/sonar/compare/4.3.0...4.3.1) (2025-03-20)
+
+
+### Bug Fixes
+
+* use keystore when either DEFAULT_CA_CERTS or CUSTOM_CA_CERTS are set ([b4373ed](https://gitlab.com/to-be-continuous/sonar/commit/b4373edbbb58bc048c351d824e30b823cb94cc06))
+
+# [4.3.0](https://gitlab.com/to-be-continuous/sonar/compare/4.2.4...4.3.0) (2025-01-27)
 
 
 ### Features
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 2c732f57dbd940c69f124644cd02dd64338b453e..c7993ac14853a911df1c40b1a497f9528a17830e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:
 
 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
    Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
 
 ### Git Commit Conventions
diff --git a/README.md b/README.md
index ac6a623b91d23e1d6c267aad7fdf1187d045f1d7..2183f2c06a7938d7b663d7edd1f71b8cb9699032 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ security vulnerabilities as early as possible.
 
 ## Usage
 
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
 
 ### Use as a CI/CD component
 
@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1
     # 2: set/override component inputs
     inputs:
       host-url: https://sonarqube.acme.host # ⚠ this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # 1: include the template
   - project: 'to-be-continuous/sonar'
-    ref: '4.3.0'
+    ref: '4.3.1'
     file: '/templates/gitlab-ci-sonar.yml'
 
 variables:
@@ -46,7 +46,7 @@ It is bound to the `test` stage, and uses the following variables:
 
 | Input / Variable | Description                     | Default value |
 | ------------------------ | ------------------------------- | ----------------------------- |
-| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
+| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-SONAR_SCANNER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-SONAR_SCANNER_IMAGE) |
 | `host-url` / `SONAR_HOST_URL` | SonarQube server url            | _none_ (disabled) |
 | `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
 | `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
@@ -65,7 +65,7 @@ from GitLab's environment variables.
 :warning: This feature also depends on your SonarQube server version and license.
 If using Community Edition, you'll have to install the [sonarqube-community-branch-plugin](https://github.com/mc1arke/sonarqube-community-branch-plugin) to enable automatic Branch & Merge Request analysis (only works from SonarQube version 8).
 
-:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).
+:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ci/yaml/workflow/#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).
 
 ### Configuring SonarQube project key, project name and other parameters
 
@@ -96,7 +96,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
 
-By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
 
 #### Usage
 
@@ -118,9 +118,9 @@ With:
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1
   # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.1
     inputs:
        # audience claim for JWT
       vault-oidc-aud: "https://vault.acme.host"
diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml
index 7b496b2b6bd5d111ae58df2c2f3c0539413a59c6..0db57458cbfe0d10d10d1cf050295051fed22abb 100644
--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
@@ -22,7 +22,7 @@ variables:
 sonar:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.3.0"]
+      command: ["--service", "sonar", "4.3.1"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:
diff --git a/templates/gitlab-ci-sonar.yml b/templates/gitlab-ci-sonar.yml
index c31c5d4aee89e7ed750783930adc5a4b095ea31c..3e0d494e01841ca439125b7c0b2f184d26dbcbe2 100644
--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -395,7 +395,7 @@ sonar:
     entrypoint: [""]
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.3.0"]
+      command: ["--service", "sonar", "4.3.1"]
   variables:
     # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/
     SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
@@ -436,13 +436,11 @@ sonar:
         export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
       fi
     - |
-      if [[ -z "$CUSTOM_CA_CERTS" ]]
+      if [[ "$CUSTOM_CA_CERTS" ]] || [[ "$DEFAULT_CA_CERTS" ]]
       then
-        log_info '$CUSTOM_CA_CERTS not set: using default keystore'
-      else
-        log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+        log_info "Custom CA certificates detected: using custom Java KeyStore"
         export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
-        export CUSTOM_KEYSTORE_PASSWORD="changeit"
+        export CUSTOM_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit}
       fi
     - >-
       sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args