diff --git a/.dockerignore b/.dockerignore
index febfd09e..2699d863 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,15 @@
-node_modules/
+.circleci
+.dockerignore
+.git*
+.prettier*
+.reference-ignore
+CODE_OF_CONDUCT.md
+contrib
+CONTRIBUTING.md
+Dockerfile*
 lib/
-.git
+Makefile
+node_modules/
+nodemon.json
+openapitools.json
+SECURITY.md
diff --git a/Dockerfile b/Dockerfile
index 257c6bc6..d7d450ed 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,28 +1,29 @@
-FROM node:18.12.1-alpine
+FROM node:22-alpine as builder
 
-RUN mkdir -p /usr/src/app
 WORKDIR /usr/src/app
 
 ARG LINK=no
 
-RUN adduser -S ory -D -u 10000 -s /bin/nologin
-
-COPY package.json .
-COPY package-lock.json .
+COPY package.json package-lock.json ./
 
 RUN npm ci --fetch-timeout=600000
 
-COPY . /usr/src/app
+COPY . .
 
-RUN if [ "$LINK" == "true" ]; then (cd ./contrib/sdk/generated; rm -rf node_modules; npm ci; npm run build); \
+RUN if [ "$LINK" == "true" ]; then \
+    (cd ./contrib/sdk/generated; rm -rf node_modules; npm ci; npm run build) && \
     cp -r ./contrib/sdk/generated/* node_modules/@ory/kratos-client/; \
     fi
 
 RUN npm run build
 
-USER 10000
+FROM gcr.io/distroless/nodejs22-debian12:nonroot
+
+WORKDIR /usr/src/app
+
+COPY --from=builder /usr/src/app/ ./
 
-ENTRYPOINT ["/bin/sh", "-c"]
-CMD ["npm run serve"]
+ENV PORT=3000
+EXPOSE ${PORT}
 
-EXPOSE 3000
+CMD ["/usr/src/app/lib/index.js"]