diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 58187ca4566d7430483ee2d66f92cbde8a27c663..6be2d1d92294b26587a8607066822b1a9ddd63d8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -161,28 +161,13 @@ clippy:
   script:
     - cargo clippy --all -- -D warnings --verbose
 
-audit:manual:
+audit_dependencies:
   extends: .rust_stable_lin64
   before_script:
-    - cargo install --force cargo-audit
+    - cargo deny -V
   stage: quality
   script:
-    - cargo audit
-  when: manual
-  except:
-    refs:
-      - dev
-
-audit:
-  extends: .rust_stable_lin64
-  before_script:
-    - cargo install --force cargo-audit
-  stage: quality
-  script:
-    - cargo audit
-  only:
-    refs:
-      - dev
+    - cargo deny check
 
 publish:crate:
   extends: .rust_stable_lin64
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000000000000000000000000000000000000..f69d1676dd27c8ca69ccfc02356b922ac0463446
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,51 @@
+[bans]
+multiple-versions = "warn"
+deny = [
+    # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us.
+    { name = "color-backtrace" },
+
+    # deprecated
+    { name = "quickersort" },
+
+    # term is not fully maintained, and termcolor is replacing it
+    { name = "term" },
+]
+skip-tree = [ 
+    { name = "winapi", version = "<= 0.3" },
+    { name = "autocfg", version = "<= 1" },
+]
+
+[licenses]
+unlicensed = "deny"
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.92
+allow = [
+    "AGPL-3.0",
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "OpenSSL",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
+# https://spdx.org/licenses/OpenSSL.html
+# ISC - Both BoringSSL and ring use this for their new files
+# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
+# license, for third_party/fiat, which, unlike other third_party directories, is
+# compiled into non-test libraries, is included below."
+# OpenSSL - Obviously
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"