diff --git a/opam/Dockerfile b/opam/Dockerfile
new file mode 100644
index 00000000..dd9503da
--- /dev/null
+++ b/opam/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:22.04
+
+# Install opam and build tools for the OCaml switch.
+RUN apt-get update && apt-get install -y \
+  bash \
+  build-essential \
+  ca-certificates \
+  curl \
+  git \
+  m4 \
+  opam \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m -s /bin/bash test
+
+# App for putting scalibr binary inside the container.
+RUN mkdir -p /app
+
+# Copy opam install script into the container.
+COPY testdata/ /testdata/
+RUN chmod +x /testdata/install-opam.sh
+
+USER test
+ENV HOME=/home/test
+RUN /testdata/install-opam.sh
+
+# Set working directory.
+WORKDIR /app
+
+# Default command: start bash so the container stays alive interactively.
+CMD ["/bin/bash"]
diff --git a/opam/README.md b/opam/README.md
new file mode 100644
index 00000000..378712c0
--- /dev/null
+++ b/opam/README.md
@@ -0,0 +1,71 @@
+# OSV-Scalibr: opam (OCaml) Extractor
+
+This directory contains the test Docker setup for testing OSV-Scalibr's opam extractor plugin. opam is the package manager for OCaml and stores installed package entries in a default switch install file generated by opam itself.
+
+## Overview
+
+The opam extractor enumerates installed OCaml packages by reading the default switch install file at:
+
+```
+~/.opam/default/.opam-switch/install
+```
+
+Each entry is in the format `package-name.version` (one per line).
+
+## Test Data Contents
+
+The Docker build runs `testdata/install-opam.sh`, which uses opam to install the
+following packages in the default switch (versions are resolved by opam at build
+time):
+
+- `dune`
+- `ocamlfind`
+- `core_kernel`
+- `cohttp-lwt`
+- `ppx_deriving`
+
+## Setup Instructions
+
+### Build the Docker Image
+
+```bash
+cd security-testbeds/opam
+docker build -t opam-test .
+```
+
+The build runs `testdata/install-opam.sh`, which initializes opam and installs
+packages to generate the default switch install file.
+
+### Run the Container
+
+```bash
+docker run -it --rm -v $(pwd):/app opam-test
+```
+
+This will:
+- Start an interactive bash session
+- Mount the current directory as `/app` inside the container
+- Allow you to place the `scalibr` binary in `/app` and run tests
+
+### Running OSV-Scalibr (inside container)
+
+1) Build or copy the `scalibr` binary to the current directory
+2) Inside the container, run:
+
+```bash
+./scalibr --extractors=ocaml/opam --result=opam_output.textproto --root=/ home/test/.opam/default/.opam-switch/install
+```
+
+### Extracting Test Data to Host
+
+If you want to run the extractor outside the container:
+
+```bash
+docker run --rm -v $(pwd)/extracted_testdata:/output opam-test cp -r /home/test/.opam /output/
+```
+
+Then on your host:
+
+```bash
+./scalibr --extractors=ocaml/opam --result=opam_output.textproto --root=$(pwd)/extracted_testdata .opam/default/.opam-switch/install
+```
diff --git a/opam/testdata/install-opam.sh b/opam/testdata/install-opam.sh
new file mode 100644
index 00000000..9796ae57
--- /dev/null
+++ b/opam/testdata/install-opam.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export OPAMYES=1
+
+opam init --disable-sandboxing --yes --bare
+opam switch create default ocaml-base-compiler.5.1.1
+
+eval "$(opam env --switch=default)"
+
+opam install \
+  dune \
+  ocamlfind \
+  core_kernel \
+  cohttp-lwt \
+  ppx_deriving