diff --git a/.github/workflows/dockle.yml b/.github/workflows/dockle.yml
new file mode 100644
index 00000000..89b778b8
--- /dev/null
+++ b/.github/workflows/dockle.yml
@@ -0,0 +1,32 @@
+name: Dockle
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  dockle:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build an image from Dockerfile
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          provenance: false
+          tags: |
+            summaly:scan
+      - name: Run dockle
+        uses: docker://goodwithtech/dockle:v0.4.14
+        env:
+          DOCKLE_OUTPUT_FORMAT: list
+          DOCKLE_EXIT_CODE: 1
+          DOCKLE_EXIT_LEVEL: WARN
+          DOCKLE_IGNORES: CIS-DI-0005,CIS-DI-0010
+          DOCKLE_DEBUG: true
+        with:
+          args: 'summaly:scan'
diff --git a/Dockerfile b/Dockerfile
index 6b83495e..3f873673 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,38 @@
-FROM node:20-slim
+# syntax = docker/dockerfile:1.4
 
+ARG NODE_VERSION=20
+
+FROM --platform=$TARGETPLATFORM node:${NODE_VERSION}-slim
+
+ARG UID="991"
+ARG GID="991"
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  libjemalloc-dev libjemalloc2 \
+  && ln -s /usr/lib/$(uname -m)-linux-gnu/libjemalloc.so.2 /usr/local/lib/libjemalloc.so \
+  && corepack enable \
+  && groupadd -g "${GID}" summaly \
+  && useradd -l -u "${UID}" -g "${GID}" -m -d /app summaly \
+  && find / -type d -path /sys -prune -o -type d -path /proc -prune -o -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; \
+  && find / -type d -path /sys -prune -o -type d -path /proc -prune -o -type f -perm /g+s -ignore_readdir_race -exec chmod g-s {} \; \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists
+
+USER summaly
 WORKDIR /app
+COPY --chown=summaly:summaly . ./
 
 ENV NODE_ENV=production
 
-COPY ./ ./
-RUN corepack enable \
- && pnpm i --frozen-lockfile --aggregate-output \
- && pnpm install fastify-cli
+RUN pnpm i --frozen-lockfile --aggregate-output
+RUN pnpm install fastify-cli
+
+RUN corepack pack
+ENV COREPACK_ENABLE_NETWORK=0
+
+ENV LD_PRELOAD=/usr/local/lib/libjemalloc.so
+ENV MALLOC_CONF=background_thread:true,metadata_thp:auto,dirty_decay_ms:30000,muzzy_decay_ms:30000
 
 CMD ["pnpm", "fastify", "start", "./dist/index.js"]