diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index dc89406338e3..d025dd00e085 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -138,6 +138,12 @@ jobs:
           command: fmt
           args: --all -- --check
 
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: EmbarkStudios/cargo-deny-action@v1
+
   generator:
     name: regen check
     runs-on: ubuntu-latest
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 000000000000..a59b54988b78
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,43 @@
+exclude = [
+    "gtk-rs-examples",
+]
+
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+notice = "warn"
+ignore = []
+
+[licenses]
+unlicensed = "deny"
+allow = [
+  "MIT",
+  "Apache-2.0",
+]
+copyleft = "deny"
+allow-osi-fsf-free = "either"
+default = "deny"
+confidence-threshold = 0.8
+
+[bans]
+multiple-versions = "deny"
+wildcards = "allow"
+highlight = "all"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+
+# proc-macro-error depends on an old version of syn
+# See https://github.com/gtk-rs/gtk-rs-core/issues/1174
+[[bans.skip]]
+name = "syn"
+version = "1.0"
+
+# https://github.com/PistonDevelopers/freetype-rs/pull/254
+# https://gitlab.redox-os.org/redox-os/syscall/-/issues/34
+[[bans.skip]]
+name = "bitflags"
+version = "1.0"