diff --git a/Containerfile b/Containerfile
index 7770436..4b26440 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,26 +1,34 @@
-# Multi-stage build for Astro static site
-FROM node:22-alpine AS builder
+###########
+# BUILD STAGE
+###########
+FROM cgr.dev/chainguard/node:latest-dev AS build
 WORKDIR /app
 
-# Install deps
+# Copy dependency manifests
 COPY package*.json ./
-RUN npm ci || npm install
 
-# Copy sources and build static output
+# Install all deps (inkl. dev)
+RUN --mount=type=cache,target=/root/.npm npm ci
+
+# Copy app source and build
 COPY . .
 RUN npm run build
 
-# ---- Runtime stage ----
-FROM node:22-alpine AS runtime
-WORKDIR /app
+###########
+# RUNTIME STAGE
+###########
+FROM cgr.dev/chainguard/node:latest
 ENV NODE_ENV=production
-ENV PORT=3000
-ENV WEB_ROOT=/app/dist
-ENV TZ=Europe/Berlin
-ENV ASTRO_TELEMETRY_DISABLED=1
-COPY --from=builder /app/dist /app/dist
-COPY server.mjs /app/server.mjs
-# Drop root: use the pre-created node user
-USER node
+WORKDIR /app
+
+# Copy only what’s needed to run
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/server.mjs ./server.mjs
+
+# Chainguard runs as nonroot by default (user `nonroot`)
+USER nonroot
 #EXPOSE 3000
-CMD ["node", "/app/server.mjs"]
+
+CMD ["node", "./server.mjs"]
\ No newline at end of file