diff --git a/Dockerfile b/Dockerfile
index 99fcf898f8..89ddfba131 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,10 +53,10 @@ RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen
 
 # ============================================
-# Stage 2: Production stage
+# Stage 2: Production stage (base)
 # ============================================
 
-FROM python:3.13-slim-bookworm
+FROM python:3.13-slim-bookworm AS base
 
 LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/scancode.io"
 LABEL org.opencontainers.image.description="ScanCode.io"
@@ -94,8 +94,6 @@ RUN apt-get update \
        libzstd1 \
        libgpgme11 \
        libdevmapper1.02.1 \
-       libguestfs-tools \
-       linux-image-amd64 \
        git \
        wait-for-it \
        universal-ctags \
@@ -122,3 +120,18 @@ USER $APP_USER
 
 # Create static/ and workspace/ directories
 RUN mkdir -p /var/$APP_NAME/static/ /var/$APP_NAME/workspace/
+
+# ============================================
+# Stage 3: Full image (with VM inspection)
+# ============================================
+
+FROM base AS full
+
+USER root
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+       libguestfs-tools \
+       linux-image-amd64 \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+USER $APP_USER
diff --git a/Makefile b/Makefile
index b296282058..ca7ca26829 100644
--- a/Makefile
+++ b/Makefile
@@ -150,7 +150,10 @@ docs:
 	@${ACTIVATE} sphinx-build docs/ docs/_build/
 
 build:
-	docker build -t $(IMAGE_NAME) .
+	docker build --target base -t $(IMAGE_NAME) .
+
+build-full:
+	docker build --target full -t $(IMAGE_NAME) .
 
 bash:
 	docker run -it $(IMAGE_NAME) bash
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 597518a92b..1d83e672d6 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -7,16 +7,27 @@
 # $ SCANCODEIO_TEST_FIXTURES_REGEN=1 ./manage.py test
 
 name: scancodeio
+
+x-dev-env: &dev-env
+  SCANCODEIO_DEBUG: "True"
+  GUNICORN_RELOAD_FLAG: "--reload"
+
+x-dev-build: &dev-build
+  context: .
+  target: base
+
 services:
   web:
-    env_file:
-      - docker.dev.env
+    build: *dev-build
+    environment:
+      <<: *dev-env
     volumes:
       - ./scanpipe:/opt/scancodeio/scanpipe
 
   worker:
-    env_file:
-      - docker.dev.env
+    build: *dev-build
+    environment:
+      <<: *dev-env
     develop:
       watch:
         - action: sync+restart
diff --git a/docker.dev.env b/docker.dev.env
deleted file mode 100644
index 423c5665e2..0000000000
--- a/docker.dev.env
+++ /dev/null
@@ -1,2 +0,0 @@
-SCANCODEIO_DEBUG=True
-GUNICORN_RELOAD_FLAG=--reload