diff --git a/.github/actions/bump_tag/action.yml b/.github/actions/bump_tag/action.yml
new file mode 100644
index 0000000..aa28e13
--- /dev/null
+++ b/.github/actions/bump_tag/action.yml
@@ -0,0 +1,23 @@
+name: Push new tag with version bump
+
+runs:
+  using: "composite"
+  steps:
+    - name: Create new patch release
+      shell: bash
+      working-directory: ${{ github.workspace }}
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "github-actions[bot]@users.noreply.github.com"
+        LATEST_TAG=`git tag --list "v[0-9]*.[0-9]*.[0-9]*\+[0-9]*" --sort=-v:refname | head -n 1`
+        RELEASE_VERSION=${LATEST_TAG%%+*}
+        BUILD_VERSION=${LATEST_TAG##*+}
+        NEW_BUILD_VERSION=$((BUILD_VERSION + 1))
+        NEW_TAG="${RELEASE_VERSION}+${NEW_BUILD_VERSION}"
+        echo "Latest tag: $LATEST_TAG"
+        echo "New tag: $NEW_TAG"
+        git tag $NEW_TAG $LATEST_TAG
+        git push origin $NEW_TAG
+        gh workflow run release --ref $NEW_TAG
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5fc7068..1db7200 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+\\+[0-9]+"
+  workflow_dispatch:
 
 concurrency:
   group: rspamd-docker-${{ github.ref_name }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6607031..aa3b0fc 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -6,12 +6,75 @@ on:
   workflow_dispatch:
 
 jobs:
-  security_check:
+  autosecurity:
+    permissions:
+      actions: write
+      contents: write
     runs-on: "ubuntu-22.04"
     steps:
-      - name: Run grype
-        uses: anchore/scan-action@v4
+      - name: Check out source code
+        uses: actions/checkout@v4
         with:
-          image: rspamd/rspamd:latest
-          only-fixed: true
-          severity-cutoff: low
+          fetch-depth: 0
+
+      - name: Download grype
+        uses: anchore/scan-action/download-grype@v4
+        id: grype
+
+      - name: Check image
+        run: |
+          ${{steps.grype.outputs.cmd}} --only-fixed -o json --file report_release.json ghcr.io/${{ github.repository }}
+          RELEASE_VULN_COUNT=`jq '(.matches | length)' report_release.json`
+          echo Counted $RELEASE_VULN_COUNT vulnerabilities in release image.
+          echo RELEASE_VULN_COUNT=$RELEASE_VULN_COUNT >> "$GITHUB_ENV"
+
+      - name: Get old package tag
+        if: ${{ env.RELEASE_VULN_COUNT != '0' }}
+        run: |
+          OLD_PKG_TAG=`docker inspect ghcr.io/${{ github.repository }} | jq -r '.[0].Config.Labels."com.rspamd.pkg-tag"'`
+          echo "OLD_PKG_TAG=$OLD_PKG_TAG" >> "$GITHUB_ENV"
+
+      - name: Build test image
+        if: ${{ env.RELEASE_VULN_COUNT != '0' }}
+        id: build_test
+        uses: docker/build-push-action@v5
+        with:
+          build-args: |
+            PKG_IMG=ghcr.io/${{ github.repository }}
+            PKG_TAG=${{ env.OLD_PKG_TAG }}
+          file: Dockerfile
+          push: false
+          tags: ""
+
+      - name: Check test image
+        if: ${{ env.RELEASE_VULN_COUNT != '0' }}
+        run: |
+          ${{steps.grype.outputs.cmd}} --only-fixed -o json --file report_test.json ${{ steps.build_test.outputs.digest }}
+          TEST_VULN_COUNT=`jq '(.matches | length)' report_test.json`
+          echo Counted $TEST_VULN_COUNT vulnerabilities in test image.
+          echo TEST_VULN_COUNT=$TEST_VULN_COUNT >> "$GITHUB_ENV"
+
+      - name: Push new tag if test image checked clean
+        if: ${{ env.RELEASE_VULN_COUNT != '0' && env.TEST_VULN_COUNT == '0' }}
+        uses: ./.github/actions/bump_tag
+
+      - name: Check if test image is relatively better
+        if: ${{ env.RELEASE_VULN_COUNT != '0' && env.TEST_VULN_COUNT != '0' }}
+        run: |
+          jq '.matches.[].vulnerability.id' report_release.json | sort | uniq > release_vulns.txt
+          jq '.matches.[].vulnerability.id' report_test.json | sort | uniq > test_vulns.txt
+          NEWVULNS=$(comm -23 test_vulns.txt release_vulns.txt | wc -l)
+          if [ "$NEWVULNS" -gt 0 ]; then
+            echo "New test image has $NEWVULNS novel vulnerabilities? Weird... :("
+          fi
+          FIXEDVULNS=$(comm -23 release_vulns.txt test_vulns.txt | wc -l)
+          if [ "$FIXEDVULNS" -gt 0 ]; then
+            echo "Found $FIXEDVULNS vulnerabilities fixed in new test image. Bumping tag."
+            echo "BUMP_TAG=1" >> "$GITHUB_ENV"
+          else
+            echo "test image not fixed yet? OK... :("
+          fi
+
+      - name: Push new tag if test image is better
+        if: ${{ env.BUMP_TAG == '1' }}
+        uses: ./.github/actions/bump_tag