diff --git a/Dockerfile b/Dockerfile
index 5bf4ff6..82f5642 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,4 +12,6 @@ FROM scratch
 COPY --from=builder /checker-kerberos /checker-kerberos
 USER 65534:65534
 EXPOSE 8080
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/checker-kerberos", "-healthcheck"]
 ENTRYPOINT ["/checker-kerberos"]
diff --git a/README.md b/README.md
index c6a2b63..c827a95 100644
--- a/README.md
+++ b/README.md
@@ -59,4 +59,4 @@ KDC over the network as part of an authenticated round-trip. It is
 meant to run on a trusted network, reachable only by the happyDomain
 instance that drives it. Restrict access via a reverse proxy with
 authentication, a network ACL, or by binding the listener to a private
-interface — do not expose it directly to the public internet.
+interface; do not expose it directly to the public internet.
diff --git a/checker/rules.go b/checker/rules.go
index 8801c2b..5a8d24e 100644
--- a/checker/rules.go
+++ b/checker/rules.go
@@ -12,31 +12,31 @@ import (
 // Rule codes emitted by the kerberos rules. Keep these stable; UI / metrics
 // may match on them.
 const (
-	CodeSRVOK              = "kerberos.srv.ok"
-	CodeNoSRV              = "kerberos.srv.missing"
-	CodeKDCReachableOK     = "kerberos.kdc.reachable"
-	CodeKDCUnreachable     = "kerberos.kdc.unreachable"
-	CodeKDCPartial         = "kerberos.kdc.partial"
-	CodeASProbeOK          = "kerberos.as.ok"
-	CodeASProbeFailed      = "kerberos.as.failed"
-	CodeASWrongRealm       = "kerberos.as.wrong_realm"
-	CodeASRepNoPreauth     = "kerberos.as.no_preauth"
-	CodeClockSkewOK        = "kerberos.clock_skew.ok"
-	CodeClockSkewBad       = "kerberos.clock_skew.bad"
-	CodeEnctypesStrong     = "kerberos.enctypes.strong"
-	CodeEnctypesWeakOnly   = "kerberos.enctypes.weak_only"
-	CodeEnctypesMixed      = "kerberos.enctypes.mixed"
-	CodeEnctypesUnknown    = "kerberos.enctypes.unknown"
-	CodeKadminDown         = "kerberos.kadmin.unreachable"
-	CodeKadminOK           = "kerberos.kadmin.ok"
-	CodeKpasswdDown        = "kerberos.kpasswd.unreachable"
-	CodeKpasswdOK          = "kerberos.kpasswd.ok"
-	CodeAuthSkipped        = "kerberos.auth.skipped"
-	CodeAuthTGTOK          = "kerberos.auth.tgt_ok"
-	CodeAuthTGTFail        = "kerberos.auth.tgt_fail"
-	CodeAuthTGSOK          = "kerberos.auth.tgs_ok"
-	CodeAuthTGSFail        = "kerberos.auth.tgs_fail"
-	CodeAuthTGSSkipped     = "kerberos.auth.tgs_skipped"
+	CodeSRVOK            = "kerberos.srv.ok"
+	CodeNoSRV            = "kerberos.srv.missing"
+	CodeKDCReachableOK   = "kerberos.kdc.reachable"
+	CodeKDCUnreachable   = "kerberos.kdc.unreachable"
+	CodeKDCPartial       = "kerberos.kdc.partial"
+	CodeASProbeOK        = "kerberos.as.ok"
+	CodeASProbeFailed    = "kerberos.as.failed"
+	CodeASWrongRealm     = "kerberos.as.wrong_realm"
+	CodeASRepNoPreauth   = "kerberos.as.no_preauth"
+	CodeClockSkewOK      = "kerberos.clock_skew.ok"
+	CodeClockSkewBad     = "kerberos.clock_skew.bad"
+	CodeEnctypesStrong   = "kerberos.enctypes.strong"
+	CodeEnctypesWeakOnly = "kerberos.enctypes.weak_only"
+	CodeEnctypesMixed    = "kerberos.enctypes.mixed"
+	CodeEnctypesUnknown  = "kerberos.enctypes.unknown"
+	CodeKadminDown       = "kerberos.kadmin.unreachable"
+	CodeKadminOK         = "kerberos.kadmin.ok"
+	CodeKpasswdDown      = "kerberos.kpasswd.unreachable"
+	CodeKpasswdOK        = "kerberos.kpasswd.ok"
+	CodeAuthSkipped      = "kerberos.auth.skipped"
+	CodeAuthTGTOK        = "kerberos.auth.tgt_ok"
+	CodeAuthTGTFail      = "kerberos.auth.tgt_fail"
+	CodeAuthTGSOK        = "kerberos.auth.tgs_ok"
+	CodeAuthTGSFail      = "kerberos.auth.tgs_fail"
+	CodeAuthTGSSkipped   = "kerberos.auth.tgs_skipped"
 )
 
 // Rules returns the full list of CheckRules exposed by the Kerberos checker.
diff --git a/go.mod b/go.mod
index 392087b..0257f14 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module git.happydns.org/checker-kerberos
 go 1.25.0
 
 require (
-	git.happydns.org/checker-sdk-go v1.3.0
+	git.happydns.org/checker-sdk-go v1.5.0
 	github.com/jcmturner/gofork v1.7.6
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 )
diff --git a/go.sum b/go.sum
index e2b9a0d..7eadf2b 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-git.happydns.org/checker-sdk-go v1.3.0 h1:FG2kIhlJCzI0m35EhxSgn4UWc9M4ha6aZTeoChu4l7A=
-git.happydns.org/checker-sdk-go v1.3.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
+git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
+git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=