diff --git a/scripts/Dockerfile b/scripts/Dockerfile
new file mode 100644
index 0000000..dce8470
--- /dev/null
+++ b/scripts/Dockerfile
@@ -0,0 +1,45 @@
+FROM debian:12-slim
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Get copa_version arg
+ARG copa_version=0.9.0
+
+# Install required packages and Docker
+RUN apt-get update && \
+    apt-get install -y \
+    tar \
+    ca-certificates \
+    curl \
+    gnupg \
+    jq \
+    lsb-release \
+    --no-install-recommends && \
+    mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+    apt-get update && \
+    apt-get install -y \
+    docker-ce-cli \
+    --no-install-recommends && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install Copa
+RUN curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${copa_version}/copa_${copa_version}_linux_amd64.tar.gz && \
+    tar -zxvf copa.tar.gz && \
+    cp copa /usr/local/bin/ && \
+    chmod +x /usr/local/bin/copa && \
+    rm copa.tar.gz
+
+# Create credentials config
+RUN mkdir -p /root/.docker && \
+    echo '{"credsStore":""}' > /root/.docker/config.json
+
+# Create entrypoint script properly
+RUN echo '#!/bin/bash' > /entrypoint.sh && \
+    echo 'set -e' >> /entrypoint.sh && \
+    echo 'docker pull "$1"' >> /entrypoint.sh && \
+    echo 'copa patch --scanner docker-scout -i "$1" -t "${2:-patched}" --debug' >> /entrypoint.sh && \
+    chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/scripts/patch.sh b/scripts/patch.sh
old mode 100644
new mode 100755
index e69de29..dbc1af9
--- a/scripts/patch.sh
+++ b/scripts/patch.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Check if image argument is provided
+if [ -z "$1" ]; then
+    echo "Usage: ./patch.sh <image:tag> [output-tag]"
+    exit 1
+fi
+
+IMAGE="$1"
+TAG="${2:-patched}"
+
+# Run COPA
+docker run --rm --privileged \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -e DOCKER_CONFIG=/root/.docker \
+    copa-local:0.9.0 \
+    "$IMAGE" \
+    "$TAG"
+
+echo "Done! Check 'docker images' for the patched image."