diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index af5647a9abf92d1e26719665d4935b4a9c4b1979..d9582152b30ea035c10a80e5cbad4776d79ad6be 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -629,6 +629,7 @@ trigger-updates:
         --gitlab-api-token "${DASHBOARD_GITLAB_API_TOKEN}"
         --gitlab-server-url "${CI_SERVER_URL}"
         --projects packaging.json
+        --whitelists data/whitelists.yaml
         --filter "${TRIGGER_UPDATES}"
         ${TRIGGER_SECURITY_UPDATES:+--only-security}
         ${DEBUG:+--debug}
diff --git a/bin/trigger-updates b/bin/trigger-updates
index 168af346612087913d3c80264043ff78f609a307..a402b49fb1c2e6c26ba32f3568bc63dff01b07dc 100755
--- a/bin/trigger-updates
+++ b/bin/trigger-updates
@@ -8,6 +8,7 @@ import json
 import logging
 
 import gitlab
+import yaml
 
 
 def connect(gitlab_instance, gitlab_server_url, gitlab_api_token):
@@ -48,6 +49,12 @@ def trigger_updates(gl, data, filterglob):
                 path_with_namespace = package["git"]["path_with_namespace"]
                 ref = report.get("base")["name"]
 
+                if report["branch"] not in trusted_sources.keys():
+                    logging.info(
+                        f'Skipping {package_name} {report["upstream"]["version"]} from {report["branch"]} because not in trusted sources'
+                    )
+                    continue
+
                 should_trigger_security = True
                 if args.only_security:
                     if not report["branch"].endswith("-security"):
@@ -110,6 +117,11 @@ if __name__ == "__main__":
         action="store_true",
         help="trigger only security updates",
     )
+    parser.add_argument(
+        "--whitelists",
+        type=argparse.FileType("r"),
+        help="input file containing white lists in YAML format",
+    )
     parser.add_argument(
         "--gitlab-instance",
         type=str,
@@ -127,6 +139,14 @@ if __name__ == "__main__":
     else:
         logging.basicConfig(level=args.loglevel or logging.INFO)
 
+    if args.whitelists:
+        whitelists = yaml.load(args.whitelists, Loader=yaml.CSafeLoader).get(
+            "whitelists"
+        )
+        trusted_sources = whitelists["trigger_updates"]
+    else:
+        trusted_sources = {}
+
     gl = connect(args.gitlab_instance, args.gitlab_server_url, args.gitlab_api_token)
     data = json.load(args.projects)
     trigger_updates(gl, data, args.filter)
diff --git a/data/whitelists.yaml b/data/whitelists.yaml
index 08fb65f8a284ec189964634f7e4886ad236ed0a9..cdfb84dad39d20c7da79adfca8f830945c4a4d15 100644
--- a/data/whitelists.yaml
+++ b/data/whitelists.yaml
@@ -872,3 +872,10 @@ whitelists:
 #      my-pkg: "1.0.0-1+apertis1~v2023"
   DELTA_CHANNEL_IGNORELIST:
     apertis/v2023: "Debian oldstable based Apertis release, delta are not relevant anymore"
+  trigger_updates:
+    debian/bullseye: "Used as base for v2023"
+    debian/bullseye-security: "Source of security updates for v2023"
+    debian/bullseye-updates: "Source of bugfix updates for v2023"
+    debian/bookworm: "Used as base for v2024 and v2025"
+    debian/bookworm-security: "Source of security updates for v2024 and v2025"
+    debian/bookworm-updates: "Source of bugfix updates for v2024 and v2025"