diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 0000000000..79afc88acd
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,86 @@
+name: Check and publish Docker images
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+    tags:
+      - 'v*'
+      - '!v*-dev'
+      - 'release'
+
+defaults:
+  run:
+    shell: bash
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      TEST_TAG: zeek:latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: "recursive"
+
+      # Create and boot a loader. This will e.g., provide caching
+      # so we avoid rebuilds of the same image after this step.
+      - uses: docker/setup-buildx-action@v1
+      - name: Build
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: docker/Dockerfile
+          # Load and tag the image so it can be used by the test job below.
+          load: true
+          tags: ${{ env.TEST_TAG }}
+
+      # Run tests on the just created image.
+      - name: Run tests
+        uses: plexsystems/container-structure-test-action@v0.2.0
+        with:
+            image: ${{ env.TEST_TAG }}
+            config: docker/container-structure-test.yaml
+
+      - name: Get Version
+        id: version
+        run: echo "::set-output name=RELEASE_VERSION::$(cat VERSION)"
+      - name: Compute target tag
+        id: target
+        env:
+          RELEASE_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }}
+        run: |
+          # Translate the Github reference into a tag name.
+          #
+          # - `release` tag maps to `zeek:latest`
+          # - `v*` tag (excluding `v*-dev` tags) maps to `zeek:RELEASE_VERSION`
+          # - `master` branch maps to `zeek-dev:latest`
+          #
+          # Any other refs are not published below.
+          if [ "${GITHUB_REF}" = "refs/tags/release" ]; then
+            echo "::set-output name=tag::zeek:latest"
+          elif [ "${GITHUB_REF}" = "refs/heads/master" ]; then
+            echo "::set-output name=tag::zeek-dev:latest"
+          elif [[ "${GITHUB_REF}" = refs/heads/v* ]] && [[ "${GITHUB_REF}" != refs/heads/v*-dev ]]; then
+            echo "::set-output name=tag::zeek:${RELEASE_VERSION}"
+          fi
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        # Secrets for the login are not available for pull requests.
+        if: github.event_name == 'push'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Push
+        # Only publish if we did compute a tag.
+        if: github.event_name == 'push' && steps.target.outputs.tag != ''
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: docker/Dockerfile
+          push: true
+          tags: |
+            zeekurity/${{ steps.target.outputs.tag}}
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000000..8ee9b62c42
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,60 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+# Layer to build Zeek.
+FROM debian:buster-slim AS build_zeek
+
+# Configure system for build.
+RUN apt-get -q update \
+ && apt-get install -q -y --no-install-recommends \
+     bind9 \
+     bison \
+     cmake \
+     flex \
+     g++ \
+     gcc \
+     libmaxminddb-dev \
+     libpcap-dev \
+     libssl-dev \
+     libz-dev \
+     make \
+     python3-minimal \
+     python3-dev \
+     swig \
+     ninja-build \
+     python3-pip \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# Copy over the Zeek source tree.
+# NOTE: This assumes that we build in the context of the parent directory (the
+# Git checkout root). We e.g., ensure that in the `Makefile` in this directory.
+COPY . /src/zeek
+RUN make -C /src/zeek distclean
+
+WORKDIR /src/zeek
+RUN ./configure \
+     --generator=Ninja \
+     --build-type=Release \
+ && ninja -C build install
+
+# Final layer containing all artifacts.
+FROM debian:buster-slim AS final
+
+RUN apt-get -q update \
+ && apt-get install -q -y --no-install-recommends \
+     ca-certificates \
+     git \
+     libmaxminddb0 \
+     libpython3.7 \
+     libpcap0.8 \
+     libssl1.1 \
+     libz1 \
+     python3-minimal \
+     python3-git \
+     python3-semantic-version \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# Copy over Zeek installation.
+COPY --from=build_zeek /usr/local/zeek /usr/local/zeek
+ENV PATH "/usr/local/zeek/bin:${PATH}"
diff --git a/docker/Makefile b/docker/Makefile
new file mode 100644
index 0000000000..0a242c04bd
--- /dev/null
+++ b/docker/Makefile
@@ -0,0 +1,8 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+VERSION := $$(cat ../VERSION)
+
+.PHONY: all
+
+all:
+	@docker build -t zeek:$(VERSION) -f Dockerfile ..
diff --git a/docker/README b/docker/README
new file mode 100644
index 0000000000..8d3280f161
--- /dev/null
+++ b/docker/README
@@ -0,0 +1,19 @@
+Container image for Zeek
+========================
+
+This directory contains a minimal container image for Zeek. This image is
+published automatically to [DockerHub](https://hub.docker.com/u/zeekurity) for
+releases and for commits on the `master` branch.
+
+- Images for release are published as
+  [`zeekurity/zeek`](https://hub.docker.com/r/zeekurity/zeek) with the `latest`
+  tag pointing to the latest release.
+- Development images for the `master` branch are published as
+  [`zeekurity/zeek-dev`](https://hub.docker.com/r/zeekurity/zeek-dev).
+
+
+To run the image execute e.g.,:
+
+    docker run -it zeekurity/zeek
+
+To build the image execute `make` from this directory.
diff --git a/docker/container-structure-test.yaml b/docker/container-structure-test.yaml
new file mode 100644
index 0000000000..455f52358b
--- /dev/null
+++ b/docker/container-structure-test.yaml
@@ -0,0 +1,37 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+# This file contains a test configuration for
+# https://github.com/GoogleContainerTools/container-structure-test.
+
+schemaVersion: 2.0.0
+
+commandTests:
+  - name: zeek can be run
+    command: zeek
+    args: ["-v"]
+    expectedOutput: ["^zeek version .*"]
+
+  - name: is release build
+    command: zeek-config
+    args: ["--build_type"]
+    expectedOutput: ["release"]
+
+  - name: btest can be run
+    command: btest
+    args: ["--version"]
+    expectedOutput: ["\\d\\.\\d"]
+
+  - name: valid zkg config
+    command: zkg
+    args: ["config"]
+    # Just validate that we some some valid entry here.
+    expectedOutput: ["state_dir = /usr/local/zeek/var/lib/zkg"]
+
+  - name: plugin can be installed
+    command: zkg
+    # We pick any plugin with minimal deps here.
+    args: ["install", "--force", "sethhall/domain-tld"]
+    expectedOutput:
+      - "Installing \"zeek/sethhall/domain-tld\""
+      - "Installed \"zeek/sethhall/domain-tld\" (.*)"
+      - "Loaded \"zeek/sethhall/domain-tld\""