diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..821c19d
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1 @@
+.github
\ No newline at end of file
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 2839726..ff56934 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -7,6 +7,29 @@ on:
     push:
     merge_group:
 jobs:
+    build:
+        runs-on: ubuntu-latest
+        steps:
+            -   name: Set up QEMU
+                uses: docker/setup-qemu-action@v3
+            -   name: Set up Docker Buildx
+                uses: docker/setup-buildx-action@v3
+            -   name: Login to Docker Hub
+                uses: docker/login-action@v3
+                with:
+                    registry: ghcr.io
+                    username: ${{ github.repository_owner }}
+                    password: ${{ secrets.GITHUB_TOKEN }}
+            - uses: actions/checkout@v4
+            -   name: Build and push
+                uses: docker/build-push-action@v5
+                with:
+                    context: .
+                    push: true
+                    tags: |
+                        static-analysis
+    
+    
     # TODO: build container once, before running static-analysis
     static-analysis:
         runs-on: ubuntu-latest
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..f90d51a
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+FROM nixos/nix:latest AS builder
+WORKDIR /app/
+COPY shell.nix /app/shell.nix
+RUN nix-shell
+
+COPY composer /app/composer
+COPY composer.json /app/composer.json
+COPY composer.lock /app/composer.lock
+RUN nix-shell --run "./composer install --no-scripts --no-cache --no-autoloader"
+
+COPY package.json /app/package.json
+COPY pnpm-lock.yaml /app/pnpm-lock.yaml
+RUN nix-shell --run "pnpm install --frozen-lockfile"
+