diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index d047c8c7..dff0f517 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -66,3 +66,11 @@ jobs:
         run: cargo fmt -p ostree -- --check -l
       - name: cargo clippy (warnings)
         run: cargo clippy -p ostree --features=${{ env['CARGO_PROJECT_FEATURES'] }} -- -D warnings
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        log-level: warn
+        command: check bans sources licenses
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..75b6ac9b
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,10 @@
+[licenses]
+unlicensed = "deny"
+allow = ["Apache-2.0", "Apache-2.0 WITH LLVM-exception", "MIT", "BSD-3-Clause", "BSD-2-Clause"]
+
+[bans]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-git = []