diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 28583d757..3419ff14d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,19 @@ updates:
     - "/config/**/*"
   schedule:
     interval: weekly
+  ignore:
+    - dependency-name: "cloud-sql-connectors/cloud-sql-proxy"
+- package-ecosystem: docker
+  directories:
+    - "/"
+  schedule:
+    interval: weekly
+  allow:
+    - dependency-name: "cloud-sql-connectors/cloud-sql-proxy"
+  labels:
+    - "dependencies"
+    - "docker"
+    - "cloud-sql-proxy"
 
 - package-ecosystem: gomod
   directory: "/"
diff --git a/.github/workflows/cloud-sql-proxy-update.yml b/.github/workflows/cloud-sql-proxy-update.yml
new file mode 100644
index 000000000..10b50850b
--- /dev/null
+++ b/.github/workflows/cloud-sql-proxy-update.yml
@@ -0,0 +1,38 @@
+name: Cloud-SQL-Proxy update
+
+on:
+  pull_request:
+    types: [labeled]
+
+permissions: {}
+
+jobs:
+  my_job:
+    runs-on: ubuntu-latest
+    if: github.event.label.name == 'cloud-sql-proxy'
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Update .ko.yaml with latest release version
+        run: |
+          export CLOUD_SQL_PROXY_VERSION="$(awk -F'[:@]' '/FROM gcr.io\/cloud-sql-connectors\/cloud-sql-proxy/{print $2; exit}' Dockerfile.deps)"
+          echo "Detected cloud-sql-proxy ${CLOUD_SQL_PROXY_VERSION}..."
+
+          sed -i 's/\(cloud-sql-proxy:\).*/\1'${CLOUD_SQL_PROXY_VERSION}'/' .ko.yaml
+
+      - name: Amend Dependabot PR
+        env:
+          PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -sam "Bumping cloud-sql-proxy version in .ko.yaml"
+          git push origin HEAD:${PULL_REQUEST_HEAD_REF}
diff --git a/.ko.yaml b/.ko.yaml
index d47e91dbf..e3ad156a8 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,7 +1,7 @@
 ---
 defaultBaseImage: gcr.io/distroless/static-debian12:nonroot
 baseImageOverrides:
-  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.3-alpine
+  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.15.0-alpine
 
 builds:
   - id: ctlog-createctconfig
diff --git a/Dockerfile.deps b/Dockerfile.deps
index 0c6256348..c786c3fde 100644
--- a/Dockerfile.deps
+++ b/Dockerfile.deps
@@ -1,5 +1,5 @@
 # This Dockerfile simply serves as a trigger for dependabot to notify when a new upstream release of a component is available
 #
-# !!! READ AND ACT ON THIS !!! If dependabot proposes an update to the container listed below, you should also update the value listed in '.ko.yaml' and cut a new release of scaffolding
-FROM gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.15.0-alpine as cloud-sql-proxy
+# This will trigger a Dependabot update, which should trigger a workflow to update .ko.yaml accordingly
+FROM gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.15.0-alpine@sha256:7815b33cc48745133a065d32b5f420d6b2572565424d90cd8f4261d9529060f2
 ENV FOO=BAR