diff --git a/.github/workflows/build-push-db-utils.yml b/.github/workflows/build-push-db-utils.yml
index f921712..5cc0f5a 100644
--- a/.github/workflows/build-push-db-utils.yml
+++ b/.github/workflows/build-push-db-utils.yml
@@ -1,4 +1,4 @@
-name: Build and push image 
+name: Build and push image [DB Utils]
 
 on:
   push:
diff --git a/.github/workflows/build-push-pf-pod.yml b/.github/workflows/build-push-pf-pod.yml
new file mode 100644
index 0000000..08f1536
--- /dev/null
+++ b/.github/workflows/build-push-pf-pod.yml
@@ -0,0 +1,42 @@
+name: Build and push image [Port Forward Pod]
+
+on:
+  push:
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: hmpps-delius-alfresco-port-forward-pod
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        if: github.ref == 'refs/heads/main'
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
+        with:
+          context: ./tools/port-forward/
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/${{ steps.meta.outputs.tags }}, ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Build and push Docker image
+        if: github.ref != 'refs/heads/main'
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
+        with:
+          context: ./tools/port-forward/
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/${{ steps.meta.outputs.tags }}, ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.run_id }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/tools/port-forward/Dockerfile b/tools/port-forward/Dockerfile
new file mode 100644
index 0000000..7734714
--- /dev/null
+++ b/tools/port-forward/Dockerfile
@@ -0,0 +1,11 @@
+FROM alpine:3
+
+RUN apk add --update --no-cache socat \
+    && rm -rf /var/cache/apk/
+
+RUN addgroup -g 1001 -S appgroup && \
+    adduser -u 1001 -S appuser -G appgroup
+
+USER 1001
+
+CMD ["sh", "-c", "socat tcp-listen:$LOCAL_PORT,reuseaddr,fork tcp:$REMOTE_HOST:$REMOTE_PORT & pid=$! && trap \"kill $pid\" SIGINT && echo \"Socat started listening on $LOCAL_PORT: Redirecting traffic to $REMOTE_HOST:$REMOTE_PORT ($pid)\" && wait $pid"]