diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 01e86963d65dddb18788e7e3d67830701089f448..f7e18f1d63c98f73153807cec32437a488cdc037 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -20,6 +20,7 @@ stages:
   - release
 
 include:
+  - local: .gitlab/ci/rules.gitlab-ci.yml
   - local: .gitlab/ci/build.gitlab-ci.yml
   - local: .gitlab/ci/shellcheck.gitlab-ci.yml
   - local: .gitlab/ci/test.gitlab-ci.yml
diff --git a/.gitlab/ci/build.gitlab-ci.yml b/.gitlab/ci/build.gitlab-ci.yml
index 4e8402d76823e7078d4706665a701e0d6ea43154..50df156ea29b574c085b0065fa3e8635cd6e9c3a 100644
--- a/.gitlab/ci/build.gitlab-ci.yml
+++ b/.gitlab/ci/build.gitlab-ci.yml
@@ -1,4 +1,6 @@
 build:
+  extends:
+    - .rules:except-docs
   stage: build
   image: docker:19.03.5
   services:
diff --git a/.gitlab/ci/chart.gitlab-ci.yml b/.gitlab/ci/chart.gitlab-ci.yml
index 031814a8d940d057b5e2688ea610dcee8210e90d..c2e2311b3ff48d9014a2930b889f777379eebadd 100644
--- a/.gitlab/ci/chart.gitlab-ci.yml
+++ b/.gitlab/ci/chart.gitlab-ci.yml
@@ -1,6 +1,5 @@
 variables:
   SAST_DISABLE_DIND: "true"
-  SCAN_KUBERNETES_MANIFESTS: "true"
 
 include:
   - template: SAST.gitlab-ci.yml
@@ -10,6 +9,8 @@ stages:
   - release
 
 .chart-job:
+  extends:
+    - .rules:except-docs
   image: "$BUILD_IMAGE_NAME"
   before_script:
     - cd assets/auto-deploy-app
@@ -20,7 +21,17 @@ chart:lint:
   script:
     - helm lint .
 
+# Redefines kubesec-sast from SAST.gitlab-ci.yml, because using `extends` in a
+# job inherited from a template resets the inheritance chain. I.e. the job will
+# only inherit from the jobs specified in `extends` (not from the template)
 kubesec-sast:
+  extends:
+    - .sast-analyzer
+    - .rules:except-docs
+  image:
+    name: "$SAST_ANALYZER_IMAGE"
+  variables:
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
   variables:
     KUBESEC_HELM_CHARTS_PATH: 'assets/auto-deploy-app'
     KUBESEC_HELM_OPTIONS: '-f assets/auto-deploy-app/values.yaml'
@@ -28,9 +39,6 @@ kubesec-sast:
     - cd assets/auto-deploy-app
     - helm repo add stable https://charts.helm.sh/stable
     - helm dependency build .
-  # we are using merge request pipelines, so we need to override the rules
-  rules:
-    - if: $SCAN_KUBERNETES_MANIFESTS == 'true'
 
 chart:test:
   extends: .chart-job
diff --git a/.gitlab/ci/release.gitlab-ci.yml b/.gitlab/ci/release.gitlab-ci.yml
index bdca3c03ee129d81e758afbe8b4aa161483a54ba..f115d8bd51cfb42f18b3ac2514ba0f6bd5efa0a6 100644
--- a/.gitlab/ci/release.gitlab-ci.yml
+++ b/.gitlab/ci/release.gitlab-ci.yml
@@ -4,7 +4,6 @@
 #     See README.md for more information
 #   * If there is a new release it will tag the repository with the new release as the `ops-gitlab-net`
 #     user
-
 .semantic-release:
   image: node:12
   stage: release
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cc88fe5ae31e21e1d530ef8b3f02c8f33ec1321b
--- /dev/null
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -0,0 +1,11 @@
+# Shared rules to be used with `extends`.
+#
+# NOTE: Since `rules` is an array, the child job definition cannot
+# extend the rules further. Specifying rules in the child job would
+# override the inherited rules entirely.
+
+.rules:except-docs:
+  rules:
+    - if: '$CI_COMMIT_MESSAGE =~ /\Adocs:/'
+      when: never
+    - when: on_success
diff --git a/.gitlab/ci/shellcheck.gitlab-ci.yml b/.gitlab/ci/shellcheck.gitlab-ci.yml
index 97258571da5a768f47ee61a95ccdf730807820b9..297a10534c3b23f0a148412057c6ba3ded9a8cf6 100644
--- a/.gitlab/ci/shellcheck.gitlab-ci.yml
+++ b/.gitlab/ci/shellcheck.gitlab-ci.yml
@@ -1,4 +1,6 @@
 test-shellcheck:
+  extends:
+    - .rules:except-docs
   stage: test
   image: koalaman/shellcheck-alpine:stable
   needs: []
@@ -6,6 +8,8 @@ test-shellcheck:
     - shellcheck src/bin/auto-deploy test/verify-application-secret test/verify-deployment-database
 
 test-shfmt:
+  extends:
+    - .rules:except-docs
   stage: test
   image:
     name: mvdan/shfmt:v3.2.1-alpine
diff --git a/.gitlab/ci/test.gitlab-ci.yml b/.gitlab/ci/test.gitlab-ci.yml
index 417ee90f2086ee1560f85b35dafe470a2f3c6922..29d8025595aaf9d46440410c2601a9dd7b2cfd06 100644
--- a/.gitlab/ci/test.gitlab-ci.yml
+++ b/.gitlab/ci/test.gitlab-ci.yml
@@ -1,4 +1,6 @@
 .test-job: &test-job
+  extends:
+    - .rules:except-docs
   stage: test
   image: "$BUILD_IMAGE_NAME"
   interruptible: true
@@ -418,6 +420,8 @@ test-chart-major-version-upgrade:
     - grep -q "allowed to force deploy" deploy.log || exit 1
 
 test-upgrade-from-helm2-fails:
+  extends:
+    - .rules:except-docs
   image: docker:19.03.12
   services:
     - docker:19.03.12-dind
@@ -463,6 +467,8 @@ test-upgrade-from-helm2-fails:
         | grep 'Error: rendered manifests contain a resource that already exists.'
 
 rspec:
+  extends:
+    - .rules:except-docs
   stage: test
   image: ruby:2.7
   before_script:
@@ -480,3 +486,14 @@ commitlint:
     - npx --quiet commitlint --from="$CI_MERGE_REQUEST_DIFF_BASE_SHA" --help-url 'https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image#git-commit-guidelines'
   rules:
     - if: "$CI_MERGE_REQUEST_EVENT_TYPE != 'merge_train' && $CI_MERGE_REQUEST_DIFF_BASE_SHA"
+
+# This complements the except-docs rule in rules.gitlab-ci.yml to ensure that do
+# not skip tests when code is *actually* changed.
+assert-docs-only:
+  image: alpine
+  rules:
+    - if: '$CI_COMMIT_MESSAGE =~ /\Adocs:/'
+  before_script:
+    - apk add git
+  script:
+    - git diff --name-only HEAD~1 | grep -v '.md$' && exit 1 || exit 0