diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml
index 2c3b1720..dbb94b42 100644
--- a/.github/workflows/docker-lint.yml
+++ b/.github/workflows/docker-lint.yml
@@ -27,4 +27,5 @@ jobs:
         uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
         with:
           dockerfile: Dockerfile
-          failure-threshold: warning
+          config: .hadolint.yaml
+          failure-threshold: error
diff --git a/.hadolint.yaml b/.hadolint.yaml
new file mode 100644
index 00000000..6943f144
--- /dev/null
+++ b/.hadolint.yaml
@@ -0,0 +1,25 @@
+# Hadolint configuration for Charon Dockerfile
+# See: https://github.com/hadolint/hadolint#configure
+
+# Global switch to ignore all these rules
+ignored:
+  # DL3008: Pin versions in apt-get install
+  # IGNORED: Debian Trixie is a rolling release where package versions change
+  # frequently and vary by architecture. Pinning exact versions creates a
+  # maintenance nightmare and breaks cross-architecture builds. The standard
+  # practice for Debian-based images is to use apt-get upgrade instead.
+  - DL3008
+
+  # DL3059: Multiple consecutive RUN instructions
+  # IGNORED: In multi-stage builds, separate RUN instructions are often
+  # intentional for:
+  # 1. Better layer caching (xx-apt installs target-arch packages separately)
+  # 2. Cross-compilation with xx-go requires separate setup steps
+  # 3. Clearer separation of concerns in complex builds
+  - DL3059
+
+# Trusted registries for FROM directives
+trustedRegistries:
+  - docker.io
+  - ghcr.io
+  - gcr.io