diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..bdac519
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,27 @@
+.git
+.github
+.idea
+.vscode
+Dockerfile
+.dockerignore
+
+# Build outputs
+bin/
+build/
+dist/
+out/
+
+# Archives & temp
+*.zip
+*.tar
+*.tar.gz
+*.rar
+*.7z
+*.log
+*.tmp
+*.swp
+~*
+
+# Optional: exclude non-runtime assets
+Organized/
+ThirdPartyCompatibleFormats/
\ No newline at end of file
diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml
index 76dcf87..fef26b9 100644
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@@ -8,6 +8,10 @@ on:
   pull_request:
     branches: [ "dev", "master" ]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     name: Build server binaries
@@ -72,4 +76,57 @@ jobs:
           draft: false
           prerelease: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  docker:
+    name: Build and push Docker image
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Determine image name and tags
+        id: imagetags
+        shell: bash
+        run: |
+          IMAGE="ghcr.io/${{ github.repository_owner }}/sensitive-lexicon-server"
+          echo "IMAGE=$IMAGE" >> $GITHUB_ENV
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "PUSH=false" >> $GITHUB_ENV
+            echo "TAGS=${IMAGE}:pr-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+          elif [ "${{ github.ref_type }}" = "tag" ]; then
+            echo "PUSH=true" >> $GITHUB_ENV
+            echo "TAGS=${IMAGE}:${{ github.ref_name }},${IMAGE}:latest" >> $GITHUB_ENV
+          else
+            BRANCH="${{ github.ref_name }}"
+            echo "PUSH=true" >> $GITHUB_ENV
+            if [ "$BRANCH" = "dev" ] || [ "$BRANCH" = "master" ]; then
+              echo "TAGS=${IMAGE}:latest,${IMAGE}:sha-${{ github.sha }}" >> $GITHUB_ENV
+            else
+              echo "TAGS=${IMAGE}:branch-${BRANCH},${IMAGE}:sha-${{ github.sha }}" >> $GITHUB_ENV
+            fi
+          fi
+          echo "Using tags: $TAGS"
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ env.PUSH }}
+          tags: ${{ env.TAGS }}
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..085f00c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,34 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:1.22-alpine AS builder
+WORKDIR /src
+
+# Pre-fetch deps
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source
+COPY . .
+
+# Build static binary for target platform
+ARG TARGETOS
+ARG TARGETARCH
+ENV CGO_ENABLED=0
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    go build -trimpath -ldflags="-s -w" -o /out/server ./cmd/server
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /app
+
+# App binary
+COPY --from=builder /out/server /app/server
+
+# Default lexicon files
+COPY Vocabulary /app/Vocabulary
+
+# Default envs
+ENV PORT=8080
+ENV LEXICON_DIR=Vocabulary
+
+EXPOSE 8080
+USER nonroot
+ENTRYPOINT ["/app/server"]
\ No newline at end of file