diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml
index 20c7acc..f6d888a 100644
--- a/.github/workflows/ci-cd.yaml
+++ b/.github/workflows/ci-cd.yaml
@@ -25,6 +25,11 @@ jobs:
         uses: golangci/golangci-lint-action@v6
         with:
           version: v1.60
+      
+      # lint the dockerfile too
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
 
   test:
     name: Test
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..97e57e2
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,37 @@
+# Build stage
+FROM golang:1.22 AS builder
+
+# do people even care about the LFS hirarchy anymore?
+WORKDIR /app
+
+# Copy go mod and sum files in first so we can cache the dependencies
+COPY go.mod go.sum ./
+RUN go mod download
+
+# copy in the app and build it
+COPY . .
+
+# statically compile the go binary for the presumed target of amd64 linux
+# whilst its larger, its more portable and will run in a scratch container
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o api-server ./cmd/api-server
+
+# hack to create the nobody user for the scratch container.
+# hadolint ignore=DL3059
+RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd
+
+# Use multi stage builds. This is the final runtime stage. We can use ephemeral containers in kubernetes now :tada:
+# We could make a development target if this displeases people too.
+FROM scratch
+
+# expose the port and hardcode it for now
+EXPOSE 8080
+
+# copy in the nobody user in
+COPY --from=builder /etc_passwd /etc/passwd
+
+WORKDIR /app
+COPY --from=builder /app/api-server /app/api-server
+
+# dont run the app as root, it is insecure
+USER nobody
+CMD ["./api-server"]
\ No newline at end of file