diff --git a/.github/workflows/tunnel-server.yaml b/.github/workflows/tunnel-server.yaml
new file mode 100644
index 00000000..f23a5f1f
--- /dev/null
+++ b/.github/workflows/tunnel-server.yaml
@@ -0,0 +1,37 @@
+name: tunnel-server
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+    tags:
+      - '*'
+
+jobs:
+  tunnel-server:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set image tag
+        if: startsWith(github.ref, 'refs/tags')
+        run: echo "IMAGE_TAG=${GITHUB_REF#refs/tags}" | tee -a ${GITHUB_ENV}
+
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Docker build
+        run: |
+          docker build \
+            -t ghcr.io/${{ github.repository_owner }}/aws-iot-secure-tunnel-server:${IMAGE_TAG:-devel} \
+            -f ./tunnel/cmd/secure-tunnel-server/Dockerfile .
+
+      - name: Login to GitHub Container Registry
+        if: startsWith(github.ref, 'refs/tags')
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
+      - name: Push to GitHub Container Registry
+        if: startsWith(github.ref, 'refs/tags')
+        run: docker push ghcr.io/${{ github.repository_owner }}/aws-iot-secure-tunnel-server:${IMAGE_TAG:-devel}
diff --git a/tunnel/cmd/secure-tunnel-server/.dockerignore b/tunnel/cmd/secure-tunnel-server/.dockerignore
index f6998c3d..bd78b668 100644
--- a/tunnel/cmd/secure-tunnel-server/.dockerignore
+++ b/tunnel/cmd/secure-tunnel-server/.dockerignore
@@ -1 +1,3 @@
 secure-tunnel-server
+tlsoffloading
+docker-compose.yml
diff --git a/tunnel/cmd/secure-tunnel-server/Dockerfile b/tunnel/cmd/secure-tunnel-server/Dockerfile
index 7bcbc88e..935c047b 100644
--- a/tunnel/cmd/secure-tunnel-server/Dockerfile
+++ b/tunnel/cmd/secure-tunnel-server/Dockerfile
@@ -1,19 +1,18 @@
 # =====================
-FROM golang:1.16-alpine3.12 as go-builder
+FROM golang:1.16-alpine as go-builder
 
 ENV CGO_ENABLED=0
 
-COPY go.mod /go/src/github.com/seqsense/aws-iot-device-sdk-go/go.mod
-COPY go.sum /go/src/github.com/seqsense/aws-iot-device-sdk-go/go.sum
+COPY go.mod go.sum /go/src/github.com/seqsense/aws-iot-device-sdk-go/
 RUN cd /go/src/github.com/seqsense/aws-iot-device-sdk-go/ && go mod download
 
 COPY . /go/src/github.com/seqsense/aws-iot-device-sdk-go
 WORKDIR /go/src/github.com/seqsense/aws-iot-device-sdk-go/tunnel/cmd/secure-tunnel-server
-RUN go build -tags netgo -installsuffix netgo
+RUN go build -tags netgo -installsuffix netgo -ldflags "-extldflags -static"
 RUN cp secure-tunnel-server /usr/local/bin/
 
 # =====================
-FROM alpine:3.13
+FROM scratch
 
 COPY --from=go-builder /usr/local/bin/secure-tunnel-server /usr/local/bin/