diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml
index ff6e530..3835b33 100644
--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@@ -9,29 +9,34 @@ spec:
             default: "spec, test, tests, tmp"
         excluded_analyzers:
             default: ""
-        image_prefix:
+        analyzer_image:
             default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
-        image_suffix:
-            dafault: ""
         search_max_depth:
             default: 4
         image_tag:
             default: 6
 
 ---
-kics-iac-sast:
+iac-sast:
   stage: $[[ inputs.stage ]]
-  image:
-    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
-  variables:
-    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
-  script:
-    - /analyzer run
   artifacts:
     access: 'developer'
     reports:
       sast: gl-sast-report.json
+  rules:
+    - when: never
+  # `rules` must be overridden explicitly by each child job
+  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
+  variables:
+    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
   allow_failure: true
+  script:
+    - /analyzer run
+
+kics-iac-sast:
+  extends: iac-sast
+  image:
+    name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]"
   rules:
     - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never