diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f28b1d2a..f5759d43 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,37 @@
+include:
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+##############################################################################
+# Pipeline stages in order of execution                                      #
+##############################################################################
+stages:
+  - build
+  - publish
+  - sca
+
+##############################################################################
+# Pipeline behavior                                                          #
+##############################################################################
+workflow:
+  rules:
+    # Run the pipeline on commits to the default branch
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        # Set the Docker image tag to `latest`
+        DOCKER_IMAGE: $CI_REGISTRY_IMAGE:latest
+      when: always
+    # Run the pipeline on tag creation
+    - if: $CI_COMMIT_TAG
+      variables:
+        # Set the Docker image tag to the Git tag name
+        DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+      when: always
+    # Don't run the pipeline on all other occasions
+    - when: never
+
+##############################################################################
+# Default values for pipeline jobs                                           #
+##############################################################################
 default:
   image: docker:24.0.6
   services:
@@ -5,38 +39,46 @@ default:
   tags:
     - docker
 
+##############################################################################
+# CI/CD variables for all jobs in the pipeline                               #
+##############################################################################
 variables:
   DOCKER_TLS_CERTDIR: /certs
+  DOCKER_BUILD_PATH: .
+  DOCKERFILE: Dockerfile
 
-build_image:
+##############################################################################
+# Pipeline jobs                                                              #
+##############################################################################
+build:
   stage: build
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
-      variables:
-        IMAGE_TAG: $CI_REGISTRY_IMAGE:latest
-    - if: $CI_COMMIT_TAG
-      when: "on_success"
-      variables:
-        IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
-    - when: never
-  before_script:
-    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
   script:
-    - docker build -t $IMAGE_TAG .
-    - docker push $IMAGE_TAG
+    - docker build --tag $DOCKER_IMAGE --file $DOCKERFILE $DOCKER_BUILD_PATH
+    - docker save $DOCKER_IMAGE > docker_image.tar
+  artifacts:
+    paths:
+      - docker_image.tar
 
-include:
-  - template: Security/Container-Scanning.gitlab-ci.yml
+publish:
+  stage: publish
+  before_script:
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+  script:
+    - docker load --input docker_image.tar
+    - docker push $DOCKER_IMAGE
+  after_script:
+    - docker logout $CI_REGISTRY
 
 container_scanning:
+  stage: sca
   rules:
+    # Run the job on commits to the default branch
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
-      variables:
-        CS_IMAGE: $CI_REGISTRY_IMAGE:latest
+      when: always
+    # Run the job on tag creation
     - if: $CI_COMMIT_TAG
-      when: on_success
-      variables:
-        CS_IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}
+      when: always
+    # Don't run the job on all other occasions
     - when: never
+  variables:
+    CS_IMAGE: $DOCKER_IMAGE