diff --git a/.deny.toml b/.deny.toml
new file mode 100644
index 00000000..140389c2
--- /dev/null
+++ b/.deny.toml
@@ -0,0 +1,69 @@
+# https://embarkstudios.github.io/cargo-deny/checks/cfg.html
+
+all-features = true
+exclude = [
+    # dev only dependency
+    "criterion"
+]
+
+[advisories]
+vulnerability = "deny"
+unmaintained = "deny"
+
+[licenses]
+default = "deny"
+unlicensed = "deny"
+allow = [
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "OpenSSL",
+    "Unicode-DFS-2016",
+    "Zlib",
+]
+# MPL-2.0 is copyleft but not "infectuous" like GPL
+copyleft = "allow"
+private = { ignore = true }
+
+[[licenses.clarify]]
+name = "ring"
+version = "*"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[bans]
+multiple-versions = "deny"
+wildcards = "deny"
+skip = [
+    # not a big deal, exotic OS support
+    { name = "hermit-abi" },
+    { name = "redox_syscall" },
+    # headers depends on old version
+    { name = "base64" },
+    # many crates haven't upgraded to 2.0 yet
+    { name = "syn" },
+
+    # ed25519-dalek issues...
+    { name = "block-buffer" },
+    { name = "digest" },
+    { name = "getrandom" },
+    { name = "rand" },
+    { name = "rand_core" },
+    { name = "rand_chacha" },
+    { name = "sha2" },
+]
+skip-tree = [
+    # happens often and not a huge deal
+    { name = "wasi" },
+    { name = "windows-sys" },
+
+    # markup5ever needs to upgrade
+    { name = "phf" },
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
deleted file mode 100644
index deb64856..00000000
--- a/.github/workflows/audit.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Dependencies
-
-env:
-  CARGO_TERM_COLOR: always
-
-on:
-  schedule:
-    # every monday at 4AM (UTC?)
-    - cron: '0 4 * * 1'
-jobs:
-  audit:
-    name: Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-
-      - uses: actions-rs/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
new file mode 100644
index 00000000..47344972
--- /dev/null
+++ b/.github/workflows/deps.yml
@@ -0,0 +1,35 @@
+name: Dependencies
+
+env:
+  CARGO_TERM_COLOR: always
+
+on:
+  schedule:
+    # every monday at 4AM (UTC?)
+    - cron: '0 4 * * 1'
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  bans-licenses-sources:
+    name: Bans, Licenses, Sources
+    runs-on: ubuntu-latest
+    if: github.event.name != 'schedule'
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check bans licenses sources
+
+  advisories:
+    name: Advisories
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check advisories