diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c38ba19d0..a3c1b3419 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,7 @@ permissions:
   contents: read
 
 on:
+  workflow_dispatch:
   push:
     branches: [main]
     tags: ["v*"]
@@ -95,3 +96,41 @@ jobs:
           TELEMETRY_API_KEY: ${{ secrets.TELEMETRY_API_KEY }}
           TELEMETRY_ENDPOINT: ${{ secrets.TELEMETRY_ENDPOINT }}
           TELEMETRY_HEADER: ${{ secrets.TELEMETRY_HEADER }}
+
+  build-image:
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Hub login
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: docker/cagent
+
+      - name: Build and push image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          provenance: mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: GIT_COMMIT=${{ github.sha }}
diff --git a/Dockerfile b/Dockerfile
index 23eec604a..c1f784bcb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -84,3 +84,8 @@ COPY --from=builder /binaries/cagent-$TARGETOS-$TARGETARCH cagent
 
 FROM scratch AS cross
 COPY --from=builder /binaries .
+
+FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
+RUN apk add --no-cache curl socat
+COPY --from=build-agent /agent /
+ENTRYPOINT [ "/agent" ]
\ No newline at end of file
diff --git a/Taskfile.yml b/Taskfile.yml
index ccb5cd267..b141815d0 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -63,3 +63,7 @@ tasks:
   cross:
     desc: Build binaries for multiple platforms
     cmd: docker buildx build --target=cross {{.BUILD_ARGS}} --platform linux/amd64,linux/arm64,darwin/amd64,darwin/arm64,windows/amd64 --output=./dist .
+
+  build-image:
+    desc: Build Docker image
+    cmd: docker buildx build -t docker/cagent:latest {{.BUILD_ARGS}} .