diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 130052cf..d8ce5052 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -67,3 +67,11 @@ jobs:
           tags: |
             ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}
             ghcr.io/${{ github.repository }}:latest
+      - name: Build minimal container image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          dockerfile: Dockerfile-minimal
+          tags: |
+            ghcr.io/${{ github.repository }}-minimal:${{ github.event.release.tag_name }}
+            ghcr.io/${{ github.repository }}-minimal:latest
diff --git a/Dockerfile-minimal b/Dockerfile-minimal
new file mode 100644
index 00000000..326f632c
--- /dev/null
+++ b/Dockerfile-minimal
@@ -0,0 +1,32 @@
+# ---
+# Stage 1: Install certs, build binary, create default config file
+# ---
+FROM docker.io/golang:1.15.3 AS builder
+RUN mkdir -p /go/src/github.com/anuvu/zot
+WORKDIR /go/src/github.com/anuvu/zot
+COPY . .
+RUN CGO_ENABLED=0 make clean binary-minimal
+RUN echo '{\n\
+    "storage": {\n\
+        "rootDirectory": "/var/lib/registry"\n\
+    },\n\
+    "http": {\n\
+        "address": "0.0.0.0",\n\
+        "port": "5000"\n\
+    },\n\
+    "log": {\n\
+        "level": "debug"\n\
+    }\n\
+}\n' > config.json && cat config.json
+
+# ---
+# Stage 2: Final image with nothing but certs, binary, and default config file
+# ---
+FROM scratch AS final
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /go/src/github.com/anuvu/zot/bin/zot-minimal /zot
+COPY --from=builder /go/src/github.com/anuvu/zot/config.json /etc/zot/config.json
+ENTRYPOINT ["/zot"]
+EXPOSE 5000
+VOLUME ["/var/lib/registry"]
+CMD ["serve", "/etc/zot/config.json"]