diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 00000000..6ae867e8
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1 @@
+.github/workflows/main_matrix.yml
diff --git a/Dockerfile b/Dockerfile
index 0ce4e332..8e3cd215 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,41 @@
 FROM debian:bullseye-slim AS builder
-RUN apt-get update
-RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install wget python3 g++ zip python3-venv git vim
-RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -O get-platformio.py; chmod +x get-platformio.py
-RUN python3 get-platformio.py
-RUN git clone https://github.com/meshtastic/firmware --recurse-submodules
-RUN cd firmware
-RUN chmod +x ./firmware/bin/build-native.sh
-RUN . ~/.platformio/penv/bin/activate; cd firmware; sh ./bin/build-native.sh
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV TZ=Etc/UTC
+
+# http://bugs.python.org/issue19846
+# > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
+ENV LANG C.UTF-8
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Install build deps
+USER root
+RUN apt-get update && \
+	apt-get -y install wget python3 g++ zip python3-venv git vim ca-certificates
+
+# create a non-priveleged user & group
+RUN groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh
+
+USER mesh
+RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -qO /tmp/get-platformio.py && \
+	chmod +x /tmp/get-platformio.py && \
+	python3 /tmp/get-platformio.py && \
+	git clone https://github.com/meshtastic/firmware --recurse-submodules /tmp/firmware && \
+	cd /tmp/firmware && \
+	chmod +x /tmp/firmware/bin/build-native.sh && \
+	source ~/.platformio/penv/bin/activate && \
+	./bin/build-native.sh
 
 FROM frolvlad/alpine-glibc
-WORKDIR /root/
-COPY --from=builder /firmware/release/meshtasticd_linux_amd64 ./
-RUN apk --update add --no-cache g++
-CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'"
\ No newline at end of file
+
+RUN apk --update add --no-cache g++ shadow && \
+	groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh
+
+COPY --from=builder /tmp/firmware/release/meshtasticd_linux_amd64 /home/mesh/
+
+USER mesh
+WORKDIR /home/mesh
+CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'"
+
+HEALTHCHECK NONE