diff --git a/Dockerfile b/Dockerfile
index cebc06c6..07677802 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,18 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.10-alpine
-
-VOLUME /config
-EXPOSE 6060 6061
-
+FROM golang:1.10-alpine AS build
 ADD .   /go/src/github.com/coreos/clair/
 WORKDIR /go/src/github.com/coreos/clair/
+RUN go build github.com/coreos/clair/cmd/clair
 
-RUN apk add --no-cache git rpm xz dumb-init && \
-    go install -v github.com/coreos/clair/cmd/clair && \
-    mv /go/bin/clair /clair && \
-    rm -rf /go /usr/local/go
-
+FROM alpine:3.8
+COPY --from=build /go/src/github.com/coreos/clair/clair /clair
+RUN apk add --no-cache git rpm xz ca-certificates dumb-init
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/clair"]
-
+VOLUME /config
+EXPOSE 6060 6061
diff --git a/ext/vulnmdsrc/nvd/nvd.go b/ext/vulnmdsrc/nvd/nvd.go
index 17896ee6..ba82c223 100644
--- a/ext/vulnmdsrc/nvd/nvd.go
+++ b/ext/vulnmdsrc/nvd/nvd.go
@@ -26,6 +26,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -153,7 +154,7 @@ func getDataFeeds(dataFeedHashes map[string]string, localPath string) (map[strin
 	// Create map containing the name and filename for every data feed.
 	dataFeedReaders := make(map[string]string)
 	for _, dataFeedName := range dataFeedNames {
-		fileName := localPath + dataFeedName + ".xml"
+		fileName := filepath.Join(localPath, fmt.Sprintf("%s.xml", dataFeedName))
 		if h, ok := dataFeedHashes[dataFeedName]; ok && h == dataFeedHashes[dataFeedName] {
 			// The hash is known, the disk should contains the feed. Try to read from it.
 			if localPath != "" {