diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..ae23ff3
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,110 @@
+---
+image: ubuntu:latest
+stages:
+  - Scan Early
+  - Build
+  - Scan
+  - Release
+before_script: []
+variables:
+  REGISTRY: registry.gitlab.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
+  DOCKER_HOST: tcp://docker:2375/
+  DOCKER_DRIVER: overlay2
+  DOCKER_TLS_CERTDIR: ""
+  IMAGE_TARBALL: container-$CI_COMMIT_SHORT_SHA.tar
+  IMAGE_TAG: $REGISTRY:$CI_COMMIT_SHORT_SHA
+  IMAGE_TAG_RELEASE: $REGISTRY:$CI_COMMIT_TAG
+  IMAGE_TAG_BLEEDING: $REGISTRY:bleeding
+  IMAGE_TAG_LATEST: $REGISTRY:latest
+default:
+  interruptible: yes
+  retry: 2
+  services:
+    - name: docker:dind
+      alias: docker
+      command: ["--tls=false"]
+  cache:
+    - key: trivy-db
+      paths:
+        - .trivy
+# Lightweight scanning where we check for repo misconfigs
+Trivy Secrets:
+  image:
+    name: aquasec/trivy
+    entrypoint: [""]
+  stage: Scan Early
+  retry: 0
+  script:
+    - trivy fs --exit-code 1 ./
+Trivy Misconfiguration:
+  image:
+    name: aquasec/trivy
+    entrypoint: [""]
+  stage: Scan Early
+  retry: 0
+  script:
+    - trivy config --severity HIGH,CRITICAL --exit-code 1 ./
+
+# Building
+Build Container:
+  image: docker:latest
+  cache: []
+  before_script: []
+  stage: Build
+  script:
+    # Basic Docker setup
+    - docker --version
+    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $REGISTRY
+    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
+    # Set up build environment
+    - docker buildx create --use
+    - docker buildx inspect --bootstrap
+    # Build the container
+    - docker buildx build
+        --platform linux/amd64
+        --tag=$IMAGE_TAG
+        --output type=oci,dest=$IMAGE_TARBALL
+    # Last-minute debug info
+    - docker images
+  artifacts:
+    paths:
+      - $IMAGE_TARBALL
+    expire_in: 1h
+
+# Meaty scanning for package vulns
+Scan Container:
+  image:
+    name: aquasec/trivy
+    entrypoint: [""]
+  stage: Scan
+  allow_failure: true
+  retry: 0
+  before_script:
+    - mkdir container
+    - tar xf $IMAGE_TARBALL -C container
+  script:
+    - trivy image
+        --input container
+        --platform linux/amd64
+        --scanners vuln,secret,misconfig
+        --severity HIGH,CRITICAL
+        --ignore-unfixed
+        --exit-code 1
+
+# OCI image tagging
+Tag SHA:
+  image:
+    name: quay.io/containers/skopeo:latest
+    entrypoint: [""]
+  interruptible: no # W: truthy value should be one of [false, true]
+  cache: []
+  before_script: []
+  stage: Release
+  script:
+    - echo "$CI_REGISTRY_PASSWORD" | skopeo login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin # E: line too long (100 > 80 characters)
+    - skopeo inspect oci-archive:$IMAGE_TARBALL
+    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG
+    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_BLEEDING
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG