diff --git a/.changeset/add-cargo-deny.md b/.changeset/add-cargo-deny.md
new file mode 100644
index 00000000..2703a283
--- /dev/null
+++ b/.changeset/add-cargo-deny.md
@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Add cargo-deny configuration for license, advisory, and source auditing
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e30929d6..1eedc997 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -152,6 +152,19 @@ jobs:
       - name: Clippy
         run: cargo clippy --workspace -- -D warnings
 
+  deny:
+    name: Cargo Deny
+    needs: changes
+    if: needs.changes.outputs.rust == 'true' || github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Cargo deny
+        uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
+        with:
+          command: check
+
 
   skills:
     name: Verify Skills
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..ba5b337f
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,49 @@
+# cargo-deny configuration
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+targets = [
+    "x86_64-unknown-linux-gnu",
+    "x86_64-unknown-linux-musl",
+    "aarch64-unknown-linux-gnu",
+    "aarch64-unknown-linux-musl",
+    "x86_64-apple-darwin",
+    "aarch64-apple-darwin",
+    "x86_64-pc-windows-msvc",
+]
+
+# Advisories — checks for known vulnerable crate versions
+[advisories]
+ignore = []
+db-urls = ["https://github.com/rustsec/advisory-db"]
+
+# Licenses — allowlist of acceptable licenses
+[licenses]
+allow = [
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "MIT",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Zlib",
+    "OpenSSL",
+    "MPL-2.0",
+    "CC0-1.0",
+    "BSL-1.0",
+]
+
+# Bans — reject problematic and duplicate crates
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+deny = []
+
+# Sources — restrict where crates can come from
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index", "https://index.crates.io/"]
+allow-git = []