diff --git a/.github/workflows/build-and-patch-copa.yml b/.github/workflows/build-and-patch-copa.yml
new file mode 100644
index 00000000..7d25d8d9
--- /dev/null
+++ b/.github/workflows/build-and-patch-copa.yml
@@ -0,0 +1,82 @@
+# This is a basic workflow to help you get started with Actions
+name: Building and Patch
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the main branch
+on: [workflow_dispatch]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  common:
+      runs-on: ubuntu-latest
+      defaults:
+        run:
+          shell: pwsh
+      steps:
+      - uses: actions/checkout@v3
+      - name: Get Changelog Entry
+        id: changelog_reader
+        uses: mindsers/changelog-reader-action@v2
+        with:
+          validation_depth: 10
+          path: ./CHANGELOG.md
+      - name: Get Version Info
+        id: read_metadata
+        run: |
+          echo "Version: ${{ steps.changelog_reader.outputs.version }}"
+          echo "Changes: ${{ steps.changelog_reader.outputs.changes }}"
+          $owner = "${{ github.repository_owner }}".ToLower()
+          $tagbase = "ghcr.io/$owner/aks/periscope:${{ steps.changelog_reader.outputs.version }}"
+          echo "tagbase=$tagbase" >> $env:GITHUB_OUTPUT
+      outputs:
+        tagbase: ${{ steps.read_metadata.outputs.tagbase }}
+  patch:
+      runs-on: ubuntu-latest
+      needs: common
+      strategy:
+        fail-fast: false
+        matrix:
+          images: ['${{ needs.common.outputs.tagbase }}']
+      steps:
+      - name: Harden Runner 
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 
+        with: 
+          egress-policy: audit 
+      - name: Login to ghcr.io
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate Trivy Report
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        with:
+          scan-type: 'image'
+          format: 'json'
+          output: 'report.json'
+          ignore-unfixed: true
+          vuln-type: 'os'
+          image-ref:  ${{ matrix.images }}
+      - name: Check Vuln Count
+        id: vuln_cout
+        run: |
+          report_file="report.json"
+          vuln_count=$(jq '.Results[0].Vulnerabilities | length' "$report_file")
+          echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
+      - name: Copa Action
+        if: steps.vuln_cout.outputs.vuln_count != '0'
+        id: copa
+        uses: project-copacetic/copa-action@3c942a3d9f1a1e05810d989b15733e5a70203045 # v1.0.0
+        with:
+          image:  ${{ matrix.images }}
+          image-report: 'report.json'
+          patched-tag: 'patched'
+          buildkit-version: 'v0.12.1'
+      - name: Push patched image
+        if: steps.copa.conclusion == 'success'
+        run: |
+          docker tag ghcr.io/azure/aks/periscope:patched ${{ matrix.images }}
+          docker push ${{ matrix.images }}