diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6f58fbdb2b..08abf0331d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,21 @@ defaults:
     shell: bash
 
 jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check ${{ matrix.checks }}
+
   check:
     name: Check
     runs-on: ubuntu-latest
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000000..8491e1c618
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,18 @@
+[graph]
+targets = [
+    "x86_64-unknown-none",
+    "aarch64-unknown-none-softfloat",
+    "riscv64gc-unknown-none-elf",
+]
+all-features = true
+
+[licenses]
+allow = [
+    "0BSD",
+    "Apache-2.0",
+    "MIT",
+    "MPL-2.0",
+    "ISC",
+    "Unicode-3.0",
+]
+confidence-threshold = 1.0