diff --git a/.github/workflows/gotest.yml b/.github/workflows/gotest.yml
index fab7371..0b8d7de 100644
--- a/.github/workflows/gotest.yml
+++ b/.github/workflows/gotest.yml
@@ -17,24 +17,8 @@ jobs:
       - name: Check out source code
         uses: actions/checkout@v3
 
-      - name: Deploy containers
-        run: cd dev_utils && docker-compose up -d s3 mq_server
-
-      - name: Wait for containers to start
-        run: |
-          RETRY_TIMES=0
-          for p in mq s3
-          do
-          until docker ps -f name=$p --format {{.Status}} | grep "(healthy)"
-          do echo "waiting for $p to become ready"
-          RETRY_TIMES=$((RETRY_TIMES+1));
-          if [ $RETRY_TIMES -eq 30 ]; then exit 1; fi
-          sleep 10;
-          done
-          done
-
-      - name: Calc coverage
-        run: go test -tags live -coverprofile=coverage.txt -covermode=atomic
+      - name: Run test container
+        run: cd dev_utils && GOLANG_VERSION=${{ matrix.go-version }} docker compose run tests
 
       - name: Codecov
         uses: codecov/codecov-action@v3.1.1
diff --git a/.gitignore b/.gitignore
index 9eba776..71e3a80 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,4 +12,7 @@
 *.out
 
 # log dumps
-*.dump
\ No newline at end of file
+*.dump
+
+# coverage report
+coverage.txt
diff --git a/config_test.go b/config_test.go
index feae0c9..0ba1e1e 100644
--- a/config_test.go
+++ b/config_test.go
@@ -123,7 +123,7 @@ func (suite *TestSuite) TestConfigBroker() {
 func (suite *TestSuite) TestTLSConfigBroker() {
 	viper.Set("broker.serverName", "broker")
 	viper.Set("broker.ssl", true)
-	viper.Set("broker.cacert", "dev_utils/certs/ca.crt")
+	viper.Set("broker.cacert", "/certs/ca.crt")
 	config, err := NewConfig()
 	assert.NotNil(suite.T(), config)
 	assert.NoError(suite.T(), err)
@@ -132,8 +132,8 @@ func (suite *TestSuite) TestTLSConfigBroker() {
 	assert.NoError(suite.T(), err)
 
 	viper.Set("broker.verifyPeer", true)
-	viper.Set("broker.clientCert", "./dev_utils/certs/client.crt")
-	viper.Set("broker.clientKey", "./dev_utils/certs/client.key")
+	viper.Set("broker.clientCert", "/certs/client.crt")
+	viper.Set("broker.clientKey", "/certs/client.key")
 	config, err = NewConfig()
 	assert.NotNil(suite.T(), config)
 	assert.NoError(suite.T(), err)
@@ -141,8 +141,8 @@ func (suite *TestSuite) TestTLSConfigBroker() {
 	assert.NotNil(suite.T(), tlsBroker)
 	assert.NoError(suite.T(), err)
 
-	viper.Set("broker.clientCert", "./dev_utils/certs/client.pem")
-	viper.Set("broker.clientKey", "./dev_utils/certs/client-key.pem")
+	viper.Set("broker.clientCert", "/certs/client.pem")
+	viper.Set("broker.clientKey", "/certs/client-key.pem")
 	config, err = NewConfig()
 	assert.NotNil(suite.T(), config)
 	assert.NoError(suite.T(), err)
@@ -153,7 +153,7 @@ func (suite *TestSuite) TestTLSConfigBroker() {
 }
 
 func (suite *TestSuite) TestTLSConfigProxy() {
-	viper.Set("aws.cacert", "dev_utils/certs/ca.crt")
+	viper.Set("aws.cacert", "/certs/ca.crt")
 	config, err := NewConfig()
 	assert.NotNil(suite.T(), config)
 	assert.NoError(suite.T(), err)
diff --git a/dev_utils/config.yaml b/dev_utils/config.yaml
index 1043958..6b7d19d 100644
--- a/dev_utils/config.yaml
+++ b/dev_utils/config.yaml
@@ -7,10 +7,10 @@ aws:
   secretKey: "987654321"
   bucket: "test"
   region: "us-east-1"
-  cacert: "./dev_utils/certs/ca.crt"
+  cacert: "/certs/ca.crt"
 
 broker:
-  host: "localhost"
+  host: "mq"
   port: "5671"
   user: "test"
   password: "test"
@@ -19,16 +19,16 @@ broker:
   routingKey: "files.inbox"
   ssl: "true"
   verifyPeer: "true"
-  cacert: "./dev_utils/certs/ca.crt"
-  clientCert: "./dev_utils/certs/client.crt"
-  clientKey: "./dev_utils/certs/client.key"
+  cacert: "/certs/ca.crt"
+  clientCert: "/certs/client.crt"
+  clientKey: "/certs/client.key"
 # If the FQDN and hostname of the broker differ
 # serverName can be set to the SAN name in the certificate
   #  serverName: ""
 
 server:
-  cert: "./dev_utils/certs/proxy.crt"
-  key: "./dev_utils/certs/proxy.key"
+  cert: "/certs/proxy.crt"
+  key: "/certs/proxy.key"
   users: "./dev_utils/users.csv"
   jwtpubkeypath: "./dev_utils/keys/"
   jwtpubkeyurl: "https://login.elixir-czech.org/oidc/jwk"
diff --git a/dev_utils/docker-compose.yml b/dev_utils/docker-compose.yml
index ce4d826..fd2011b 100644
--- a/dev_utils/docker-compose.yml
+++ b/dev_utils/docker-compose.yml
@@ -45,7 +45,7 @@ services:
     volumes:
       - pubcert:/etc/ssl/certs
 
-  mq_server:
+  mq:
     image: rabbitmq:3.11.2-management-alpine
     container_name: mq
     depends_on:
@@ -73,7 +73,7 @@ services:
     image: neicnordic/sda-inbox-s3proxy
     container_name: proxy
     depends_on:
-      mq_server:
+      mq:
         condition: service_healthy
       s3:
         condition: service_healthy
@@ -115,6 +115,29 @@ services:
       - "8000:8000"
       - "8001:8001"
 
+  tests:
+    image: golang:${GOLANG_VERSION:-1.18}
+    container_name: s3proxy-tests
+    profiles:
+      - test
+    command:
+      - "/bin/sh"
+      - "-c"
+      - "cd /app; echo 'Running go ${GOLANG_VERSION:-1.18} tests';
+         go install 2>/dev/null
+         && go test -tags live -coverprofile=coverage.txt -covermode=atomic"
+    depends_on:
+      mq:
+        condition: service_healthy
+      s3:
+        condition: service_healthy
+      certfixer:
+        condition: service_completed_successfully
+    volumes:
+      - proxy_certs:/certs
+      - ./users.csv:/users.csv
+      - ..:/app
+
 volumes:
   pubcert:
   s3_certs:
diff --git a/proxy_test.go b/proxy_test.go
index bbec2e9..5f44605 100644
--- a/proxy_test.go
+++ b/proxy_test.go
@@ -95,7 +95,7 @@ func TestServeHTTP_disallowed(t *testing.T) {
 		secretKey: "someSecret",
 		bucket:    "buckbuck",
 		region:    "us-east-1",
-		cacert:    "./dev_utils/certs/ca.crt",
+		cacert:    "/certs/ca.crt",
 	}
 	messenger := NewMockMessenger()
 	proxy := NewProxy(s3conf, &AlwaysDeny{}, messenger, new(tls.Config))
@@ -172,7 +172,7 @@ func TestServeHTTP_S3Unresponsive(t *testing.T) {
 		secretKey: "someSecret",
 		bucket:    "buckbuck",
 		region:    "us-east-1",
-		cacert:    "./dev_utils/certs/ca.crt",
+		cacert:    "/certs/ca.crt",
 	}
 	messenger := NewMockMessenger()
 	proxy := NewProxy(s3conf, &AlwaysAllow{}, messenger, new(tls.Config))
@@ -201,7 +201,7 @@ func TestServeHTTP_allowed(t *testing.T) {
 		secretKey: "someSecret",
 		bucket:    "buckbuck",
 		region:    "us-east-1",
-		cacert:    "./dev_utils/certs/ca.crt",
+		cacert:    "/certs/ca.crt",
 	}
 	messenger := NewMockMessenger()
 	proxy := NewProxy(s3conf, NewAlwaysAllow(), messenger, new(tls.Config))
@@ -308,7 +308,7 @@ func TestMessageFormatting(t *testing.T) {
 		secretKey: "someSecret",
 		bucket:    "buckbuck",
 		region:    "us-east-1",
-		cacert:    "./dev_utils/certs/ca.crt",
+		cacert:    "/certs/ca.crt",
 	}
 	messenger := NewMockMessenger()
 	proxy := NewProxy(s3conf, &AlwaysDeny{}, messenger, new(tls.Config))