diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
deleted file mode 100644
index 22e15f0f4c15..000000000000
--- a/.github/workflows/cargo-audit.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: "Cargo Audit"
-on:
-  push:
-    paths:
-      # Run if workflow changes
-      - '.github/workflows/cargo-audit.yml'
-      # Run on changed dependencies
-      - '**/Cargo.toml'
-      - '**/Cargo.lock'
-      # Run if the configuration file changes
-      - '**/audit.toml'
-  # Rerun periodically to pick up new advisories
-  schedule:
-    - cron: '0 0 * * *'
-  # Run manually
-  workflow_dispatch:
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-    steps:
-      - uses: actions/checkout@v4
-        # https://github.com/marketplace/actions/cargo-audit-your-rust-dependencies
-      - uses: actions-rust-lang/audit@72c09e02f132669d52284a3323acdb503cfc1a24
-        name: Audit Rust Dependencies
-        with:
-          # sqlx-mysql pulls in rsa, but goose only uses sqlite. cargo-audit
-          # can't distinguish used from unused deps (rustsec/rustsec#1119).
-          ignore: RUSTSEC-2023-0071
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
new file mode 100644
index 000000000000..5dfa1c924f3b
--- /dev/null
+++ b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,28 @@
+name: "Cargo Deny"
+on:
+  push:
+    paths:
+      # Run if workflow changes
+      - '.github/workflows/cargo-deny.yml'
+      # Run on changed dependencies
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - 'deny.toml'
+  # Rerun periodically to pick up new advisories
+  schedule:
+    - cron: '0 0 * * *'
+  # Run manually
+  workflow_dispatch:
+
+jobs:
+  deny:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      # https://github.com/EmbarkStudios/cargo-deny-action v2.0.15
+      - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979
+        with:
+          command: check advisories
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 000000000000..bd3d86ca2363
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,6 @@
+[advisories]
+# Deny yanked crates to catch supply chain issues early.
+yanked = "deny"
+# Emulate cargo-audit which only checks vulnerabilities and yanked crates, not unmaintained/unsound.
+unmaintained = "none"
+unsound = "none"