diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy
index 2369cb27..92a857eb 100644
--- a/docker/Dockerfile.proxy
+++ b/docker/Dockerfile.proxy
@@ -7,20 +7,6 @@ ARG FIPS_MODE
 RUN apt update -y
 RUN apt install -y build-essential ca-certificates python3 git
 
-WORKDIR /code
-
-COPY . .
-
-RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
-    then echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
-    else echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
-    fi'
-
-# Runner stage
-FROM debian:12.10 AS runner
-
-RUN apt update -y
-RUN apt install -y bash ca-certificates
 RUN addgroup --gid 1000 --system 'split-proxy'
 RUN adduser \
     --disabled-password \
@@ -31,10 +17,43 @@ RUN adduser \
     --uid 1000 \
     'split-proxy'
 
+WORKDIR /code
+
+COPY . .
+
+RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
+    else echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi'
+
+# distroless stage
+FROM scratch AS distroless
+
 COPY docker/functions.sh .
 
 COPY --from=builder /code/split-proxy /usr/bin/
 COPY --from=builder /code/entrypoint.proxy.sh .
+COPY --from=builder /bin/bash /bin/
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=builder /etc/group /etc/group
+# because split-sync is dynamically linked to glibc for the net library
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
+COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+COPY --from=builder /lib/x86_64-linux-gnu/libtinfo* /lib/x86_64-linux-gnu/
+# health check
+COPY --from=builder /code/healthcheck.sh /usr/bin/
+# Get copyright statements for included components for legal compliance
+COPY --from=builder /usr/share/doc/ca-certificates/copyright /usr/share/doc/ca-certificates/copyright
+COPY --from=builder /usr/share/doc/bash/copyright /usr/share/doc/bash/copyright
+COPY --from=builder /usr/share/doc/libc6/copyright /usr/share/doc/libc6/copyright
+COPY --from=builder /usr/share/doc/libtinfo6/copyright /usr/share/doc/libtinfo6/copyright
+
+# runner stage squashed minimum layer
+FROM scratch
+
+COPY --from=distroless / /
 
 EXPOSE 3000 3010
 
diff --git a/docker/Dockerfile.synchronizer b/docker/Dockerfile.synchronizer
index f78665e1..5fa0d77a 100644
--- a/docker/Dockerfile.synchronizer
+++ b/docker/Dockerfile.synchronizer
@@ -7,20 +7,6 @@ ARG FIPS_MODE
 RUN apt update -y
 RUN apt install -y build-essential ca-certificates python3 git
 
-WORKDIR /code
-
-COPY . .
-
-RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
-    then echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
-    else echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
-    fi'
-
-# Runner stage
-FROM debian:12.10 AS runner
-
-RUN apt update -y
-RUN apt install -y bash ca-certificates
 RUN addgroup --gid 1000 --system 'split-synchronizer'
 RUN adduser \
     --disabled-password \
@@ -31,10 +17,44 @@ RUN adduser \
     --uid 1000 \
     'split-synchronizer'
 
+WORKDIR /code
+
+COPY . .
+
+RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    else echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi'
+
+# distroless stage
+FROM scratch AS distroless
+
 COPY docker/functions.sh .
 
 COPY --from=builder /code/split-sync /usr/bin/
 COPY --from=builder /code/entrypoint.synchronizer.sh .
+COPY --from=builder /bin/bash /bin/
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=builder /etc/group /etc/group
+# because split-sync is dynamically linked to glibc for the net library
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
+COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+COPY --from=builder /lib/x86_64-linux-gnu/libtinfo* /lib/x86_64-linux-gnu/
+# health check
+COPY --from=builder /code/healthcheck.sh /usr/bin/
+# Get copyright statements for included components for legal compliance
+COPY --from=builder /usr/share/doc/ca-certificates/copyright /usr/share/doc/ca-certificates/copyright
+COPY --from=builder /usr/share/doc/bash/copyright /usr/share/doc/bash/copyright
+COPY --from=builder /usr/share/doc/libc6/copyright /usr/share/doc/libc6/copyright
+COPY --from=builder /usr/share/doc/libtinfo6/copyright /usr/share/doc/libtinfo6/copyright
+
+
+# runner stage squashed minimum layer
+FROM scratch
+
+COPY --from=distroless / /
 
 EXPOSE 3000 3010
 
diff --git a/docker/entrypoint.sh.tpl b/docker/entrypoint.sh.tpl
index e15da7a2..bea421dd 100755
--- a/docker/entrypoint.sh.tpl
+++ b/docker/entrypoint.sh.tpl
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 FLAGS=({{ARGS}})
 
diff --git a/docker/functions.sh b/docker/functions.sh
index ce58f76f..cf5cfe9a 100644
--- a/docker/functions.sh
+++ b/docker/functions.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 function parse_flags_from_conf_file() {
     fn=$1
@@ -21,7 +21,8 @@ function flag_to_env_var() {
         return 1
     fi
 
-    echo "${prefix}_${flag}" | tr "[a-z]" "[A-Z]" | tr "-" "_"
+    uppercase="${prefix^^}_${flag^^}"
+    echo "${uppercase//-/_}"
     return 0
 }
 
diff --git a/healthcheck.sh b/healthcheck.sh
new file mode 100755
index 00000000..c7b7ec55
--- /dev/null
+++ b/healthcheck.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+HOSTNAME="localhost"
+PORT=3010
+
+rc=1
+lineno=0
+exec 5<> /dev/tcp/${HOSTNAME}/${PORT}
+printf "GET /health/application HTTP/1.1\r\nHost: ${HOSTNAME}\r\nConnection: close\r\n\r\n" >&5
+while read LINE <&5; do
+    if [[ $lineno -eq 0 && ${LINE} =~ HTTP/1.1[[:space:]]200[[:space:]]OK ]]; then
+	rc=0
+    fi
+    lineno=$((lineno+1))
+done
+
+exit $rc