diff --git a/.obs/workflows.yml b/.obs/workflows.yml
index b7d41cfd4..a9e1bb392 100644
--- a/.obs/workflows.yml
+++ b/.obs/workflows.yml
@@ -249,6 +249,10 @@ staging_build:
         source_project: home:defolos:BCI:CR:Tumbleweed
         source_package: spack-image
         target_project: home:defolos:BCI:CR:Tumbleweed:Staging
+    - branch_package:
+        source_project: home:defolos:BCI:CR:Tumbleweed
+        source_package: stunnel-image
+        target_project: home:defolos:BCI:CR:Tumbleweed:Staging
     - branch_package:
         source_project: home:defolos:BCI:CR:Tumbleweed
         source_package: trivy-image
@@ -460,6 +464,9 @@ refresh_devel_BCI:
     - trigger_services:
         project: devel:BCI:Tumbleweed
         package: spack-image
+    - trigger_services:
+        project: devel:BCI:Tumbleweed
+        package: stunnel-image
     - trigger_services:
         project: devel:BCI:Tumbleweed
         package: trivy-image
diff --git a/stunnel-image/Dockerfile b/stunnel-image/Dockerfile
new file mode 100644
index 000000000..41d0a2de5
--- /dev/null
+++ b/stunnel-image/Dockerfile
@@ -0,0 +1,58 @@
+# SPDX-License-Identifier: MIT
+
+#     Copyright (c) 2025 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!UseOBSRepositories
+
+#!BuildTag: opensuse/stunnel:%%stunnel_re%%-%RELEASE%
+#!BuildTag: opensuse/stunnel:%%stunnel_re%%
+#!BuildTag: opensuse/stunnel:5
+#!BuildTag: opensuse/stunnel:latest
+
+FROM opensuse/bci/bci-micro:latest AS target
+FROM opensuse/tumbleweed:latest AS builder
+COPY --from=target / /target
+
+RUN set -euo pipefail; \
+    zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends stunnel; \
+    zypper -n clean; \
+    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
+# sanity check that the version from the tag is equal to the version of stunnel that we expect
+RUN set -euo pipefail; \
+    [ "$(rpm --root /target -q --qf '%{version}' stunnel | \
+    cut -d '.' -f -1)" = "5" ]
+FROM opensuse/bci/bci-micro:latest
+COPY --from=builder /target /
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=org.opensuse.application.stunnel
+LABEL org.opencontainers.image.title="openSUSE Tumbleweed Stunnel"
+LABEL org.opencontainers.image.description="Stunnel container based on the openSUSE Tumbleweed Base Container Image."
+LABEL org.opencontainers.image.version="%%stunnel_re%%"
+LABEL org.opencontainers.image.url="https://www.opensuse.org"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="openSUSE Project"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%%stunnel_re%%-%RELEASE%"
+LABEL org.opensuse.reference="registry.opensuse.org/opensuse/stunnel:%%stunnel_re%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
+LABEL org.opensuse.release-stage="released"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/stunnel-image/README.md"
+COPY entrypoint.sh /usr/local/bin/
+COPY stunnel.conf /etc/stunnel/stunnel.conf
+RUN set -euo pipefail; chmod 0755 /usr/local/bin/entrypoint.sh;     chown --recursive stunnel /etc/stunnel
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["/usr/sbin/stunnel"]
+USER stunnel
diff --git a/stunnel-image/README.md b/stunnel-image/README.md
new file mode 100644
index 000000000..f5c75e93f
--- /dev/null
+++ b/stunnel-image/README.md
@@ -0,0 +1,88 @@
+# Stunnel Container Image
+
+![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)
+
+
+## Description
+
+Stunnel is an open-source multi-platform application that provides a universal
+TLS/SSL tunneling service.
+
+
+## How to use this image
+
+By default, the Stunnel container image launches `stunnel` using a minimal
+configuration file that specifies the following:
+- run in foreground
+- load further configuration files from `/etc/stunnel/conf.d`
+
+Custom configuration files must be placed into the directory
+`/etc/stunnel/conf.d`.
+
+The container entry point configures TLS/SSL automatically by setting the key
+and certificate to the values of the environment variables `STUNNEL_KEY` and
+`STUNNEL_CERT`. If one of the environment variables is unset, then the
+entrypoint defaults to `/etc/stunnel/stunnel.key` for `STUNNEL_KEY` and
+`/etc/stunnel/stunnel.pem` for `STUNNEL_CERT`.
+
+The entrypoint can set up a single service via environment variables, so that
+the user doesn't have to write and mount their own configuration file. This can
+be specified via the environment variables `STUNNEL_SERVICE_NAME`,
+`STUNNEL_ACCEPT` and `STUNNEL_CONNECT`:
+
+- `STUNNEL_SERVICE_NAME`: name or otherwise unique identifier of the service
+  (used for documentation purpose only)
+
+- `STUNNEL_ACCEPT`: address on which new connections should be accepted. It can
+  be either a hostname and a port number or just a port number (in which case,
+  localhost is assumed to be the host)
+
+- `STUNNEL_CONNECT`: address on which the unencrypted service is listening and
+  to which stunnel connects. It can be either a hostname and port number or just
+  a port number (in which case, localhost is assumed to be the host)
+
+
+For example, to create an SSL endpoint for a webserver listening on port `8000`
+on localhost, run the following command:
+
+```bash
+podman run --rm -d \
+    -p 8443:8443 \
+    -e STUNNEL_SERVICE_NAME=webserver \
+    -e STUNNEL_ACCEPT=0.0.0.0:8443 \
+    -e STUNNEL_CONNECT=0.0.0.0:8000 \
+    -v=path/to/server.pem:/etc/stunnel/stunnel.pem:Z \
+    -v=path/to/server.crt:/etc/stunnel/stunnel.crt:Z \
+    registry.opensuse.org/opensuse/stunnel:5
+```
+
+
+### Logging
+
+Stunnel supports eight log levels, from 0 (emergency) to 7 (debug) with 5
+(notice) being the default. The log level can be configured via the environment
+variable `STUNNEL_DEBUG` using either the number or the log level name. For the
+supported logging levels, refer to the [upstream
+documentation](https://www.stunnel.org/static/stunnel.html#debug-FACILITY.-LEVEL).
+
+
+### Pitfalls
+
+The Stunnel container image is configured to launch `stunnel` as the `stunnel`
+user. But by default, files mounted into a running container belong to the
+`root` user. Set the file permissions of mounted files accordingly, so that
+non-owners and non-group members can read them.
+
+Stunnel's `inetd` mode is not supported in the container image, and it does not
+ship a package manager for installing any services.
+
+
+## Licensing
+
+`SPDX-License-Identifier: MIT`
+
+This documentation and the build recipe are licensed as MIT.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/).
diff --git a/stunnel-image/_service b/stunnel-image/_service
new file mode 100644
index 000000000..279624397
--- /dev/null
+++ b/stunnel-image/_service
@@ -0,0 +1,9 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service mode="buildtime" name="replace_using_package_version">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%stunnel_re%%</param>
+    <param name="package">stunnel</param>
+  </service>
+</services>
\ No newline at end of file
diff --git a/stunnel-image/entrypoint.sh b/stunnel-image/entrypoint.sh
new file mode 100644
index 000000000..7234908ce
--- /dev/null
+++ b/stunnel-image/entrypoint.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -eo pipefail
+
+STUNNEL_CERT="${STUNNEL_CERT:-/etc/stunnel/stunnel.pem}"
+STUNNEL_KEY="${STUNNEL_KEY:-/etc/stunnel/stunnel.key}"
+
+if [[ -n ${STUNNEL_DEBUG} ]]; then
+    echo "debug = ${STUNNEL_DEBUG}" > /etc/stunnel/conf.d/000debug.conf
+fi
+
+conf="/etc/stunnel/conf.d/container-ssl.conf"
+echo "cert = ${STUNNEL_CERT}" > $conf
+echo "key = ${STUNNEL_KEY}" >> $conf
+
+
+if [[ -n "${STUNNEL_SERVICE_NAME}" ]] && [[ -n "${STUNNEL_ACCEPT}" ]] && [[ -n "${STUNNEL_CONNECT}" ]]; then
+    conf="/etc/stunnel/conf.d/container.conf"
+    echo "[${STUNNEL_SERVICE_NAME}]" > $conf
+    echo "accept = ${STUNNEL_ACCEPT}" >> $conf
+    echo "connect = ${STUNNEL_CONNECT}" >> $conf
+fi
+
+exec "$@"
diff --git a/stunnel-image/stunnel-image.changes b/stunnel-image/stunnel-image.changes
new file mode 100644
index 000000000..c189e6f52
--- /dev/null
+++ b/stunnel-image/stunnel-image.changes
@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Fri Jan 17 10:30:46 UTC 2025 - SUSE Update Bot <bci-internal@suse.de>
+
+- First version of the Stunnel 5 BCI
diff --git a/stunnel-image/stunnel.conf b/stunnel-image/stunnel.conf
new file mode 100644
index 000000000..0364fdfd1
--- /dev/null
+++ b/stunnel-image/stunnel.conf
@@ -0,0 +1,2 @@
+foreground = yes
+include = /etc/stunnel/conf.d