diff --git a/.github/workflows/patch-images.yaml b/.github/workflows/patch-images.yaml
new file mode 100644
index 000000000..1c1b8eae5
--- /dev/null
+++ b/.github/workflows/patch-images.yaml
@@ -0,0 +1,77 @@
+name: "Patch"
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # nightly
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  patch:
+      runs-on: ubuntu-latest
+      strategy:
+        fail-fast: false
+        matrix:
+          images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64']
+      steps:
+      - name: Harden Runner 
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 
+        with: 
+          egress-policy: audit 
+      - name: Login to ghcr.io
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate Trivy Report
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        with:
+          scan-type: 'image'
+          format: 'json'
+          output: 'report.json'
+          ignore-unfixed: true
+          vuln-type: 'os'
+          image-ref:  ${{ matrix.images }}
+      - name: Check Vuln Count
+        id: vuln_cout
+        run: |
+          report_file="report.json"
+          vuln_count=$(jq '.Results[0].Vulnerabilities | length' "$report_file")
+          echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
+      - name: Copa Action
+        if: steps.vuln_cout.outputs.vuln_count != '0'
+        id: copa
+        uses: project-copacetic/copa-action@1eb86b0907bce48225b66dc9488c7d329c2d48a0 # v1.0.0
+        with:
+          image:  ${{ matrix.images }}
+          image-report: 'report.json'
+          patched-tag: 'patched'
+          buildkit-version: 'v0.12.1'
+      - name: Push patched image
+        if: steps.copa.conclusion == 'success'
+        run: |
+          docker tag ghcr.io/azure/azure-workload-identity/proxy-init:patched ${{ matrix.images }}
+          docker push ${{ matrix.images }}
+
+  create-updated-manifest:
+      needs: patch
+      runs-on: ubuntu-latest
+      steps:
+      - name: Harden Runner 
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 
+        with: 
+          egress-policy: audit 
+      - name: Login to ghcr.io
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker manifest create
+        run: |
+          export DOCKER_CLI_EXPERIMENTAL=enabled
+          docker manifest create ghcr.io/azure/azure-workload-identity/proxy-init:latest --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64 --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64
+          docker manifest push ghcr.io/azure/azure-workload-identity/proxy-init:latest