diff --git a/.github/workflows/docker-goss.yaml b/.github/workflows/docker-goss.yaml
new file mode 100644
index 000000000..78e07bdcd
--- /dev/null
+++ b/.github/workflows/docker-goss.yaml
@@ -0,0 +1,98 @@
+name: Docker image for Goss
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+env:
+  PLATFORMS: "linux/amd64,linux/arm64"
+
+jobs:
+  goss:
+    name: Build and push Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      security-events: write # To upload Trivy sarif files
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository_owner }}/goss
+
+      - name: Get latest git tag
+        uses: actions-ecosystem/action-get-latest-tag@v1
+        id: get-latest-tag
+
+      - name: Set short git commit SHA
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Get the current version of Go from project.
+        run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV
+
+      - name: Build master goss image
+        if: github.ref_name == 'master'
+        uses: docker/build-push-action@v5
+        with:
+          build-args: |
+            GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }}
+            GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }}
+          context: .
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/goss:master
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ env.PLATFORMS }}
+
+      - name: Build release goss image
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        uses: docker/build-push-action@v5
+        with:
+          build-args: |
+            GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }}
+            GOSS_VERSION=${{ github.ref_name }}
+          context: .
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/goss:latest
+            ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ env.PLATFORMS }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/goss:master
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..93a143a3d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,19 @@
+ARG GO_VERSION=1.21
+
+FROM docker.io/golang:${GO_VERSION}-alpine AS base
+
+ARG GOSS_VERSION=v0.0.0
+WORKDIR /build
+
+RUN --mount=target=. \
+    CGO_ENABLED=0 go build \
+    -ldflags "-X github.com/goss-org/goss/util.Version=${GOSS_VERSION} -s -w" \
+    -o "/release/goss" \
+    ./cmd/goss
+
+FROM alpine:3.19
+
+COPY --from=base /release/* /usr/bin/
+
+RUN mkdir /goss
+VOLUME /goss
diff --git a/README.md b/README.md
index 02ede20cb..c1788885c 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,10 @@ make build
 
 [Full Documentation](https://github.com/goss-org/goss/blob/e73553f9c3065ac297499dafb4f8abef6acb24ad/docs/manual.md)
 
+## Using the container image
+
+[Using the Goss container image](docs/container_image.md)
+
 ## Quick start
 
 <!-- --8<-- [start:quickstart] -->
diff --git a/docs/.pages b/docs/.pages
index 67373453b..bed10fe4c 100644
--- a/docs/.pages
+++ b/docs/.pages
@@ -2,6 +2,7 @@ nav:
   - Home: index.md
   - installation.md
   - quickstart.md
+  - container_image.md
   - Command Reference: cli.md
   - The gossfile: gossfile.md
   - migrations.md
diff --git a/docs/container_image.md b/docs/container_image.md
new file mode 100644
index 000000000..ba12d30f7
--- /dev/null
+++ b/docs/container_image.md
@@ -0,0 +1,53 @@
+# Goss container image
+
+## Dockerfiles
+
+* [latest](https://github.com/goss-org/goss/blob/master/Dockerfile)
+
+## Using the base image
+
+This is a simple alpine image with Goss preinstalled on it.
+Can be used as a base image for your projects to allow for easy health checking.
+
+### Mount example
+
+Create the container
+
+```sh
+docker run --name goss ghcr.io/goss-org/goss goss
+```
+
+Create your container and mount goss
+
+```sh
+docker run --rm -it --volumes-from goss --name weby nginx
+```
+
+Run goss inside your container
+
+```sh
+docker exec weby /goss/goss autoadd nginx
+```
+
+### HEALTHCHECK example
+
+```dockerfile
+FROM ghcr.io/goss-org/goss:latest
+
+COPY goss/ /goss/
+HEALTHCHECK --interval=1s --timeout=6s CMD goss -g /goss/goss.yaml validate
+
+# your stuff..
+```
+
+### Startup delay example
+
+```dockerfile
+FROM ghcr.io/goss-org/goss:latest
+
+COPY goss/ /goss/
+
+# Alternatively, the -r option can be set
+# using the GOSS_RETRY_TIMEOUT env variable
+CMD goss -g /goss/goss.yaml validate -r 5m && exec real_comand..
+```