diff --git a/.circleci/config.yml b/.circleci/config.yml
index d5b2c33b9..b11a22345 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
   build-go:
     docker:
-      - image: golang:1.12
+      - image: golang:1.13.4
       - image: redis:5.0
       - image: mysql:5.7.27
         command: --event-scheduler=ON
diff --git a/Dockerfile b/Dockerfile
index bfa6febe3..cfc80eedb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
-FROM alpine
-MAINTAINER Kolide Developers <engineering@kolide.co>
-
-RUN apk --update add ca-certificates
+FROM gcr.io/distroless/static:nonroot
+LABEL maintainer="engineering@kolide.co"
+USER nonroot
 
 COPY ./build/binary-bundle/linux/fleet ./build/binary-bundle/linux/fleetctl /usr/bin/
 
-CMD ["fleet", "serve"]
+EXPOSE 8080
+CMD ["/usr/bin/fleet", "serve"]
diff --git a/Makefile b/Makefile
index 9417d4c65..974154a5f 100644
--- a/Makefile
+++ b/Makefile
@@ -107,10 +107,10 @@ endif
 build: fleet fleetctl
 
 fleet: .prefix .pre-build .pre-fleet
-	go build -i -o build/${OUTPUT} -ldflags ${KIT_VERSION} ./cmd/fleet
+	go build -i -o build/${OUTPUT} -ldflags ${KIT_VERSION} -ldflags "-w -s -extldflags '-static'" ./cmd/fleet
 
 fleetctl: .prefix .pre-build .pre-fleetctl
-	go build -i -o build/fleetctl -ldflags ${KIT_VERSION} ./cmd/fleetctl
+	go build -i -o build/fleetctl -ldflags ${KIT_VERSION} -ldflags "-w -s -extldflags '-static'" ./cmd/fleetctl
 
 lint-js:
 	yarn run eslint frontend --ext .js,.jsx