diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
new file mode 100644
index 0000000000..2ffa622f8e
--- /dev/null
+++ b/.github/workflows/cargo-audit.yml
@@ -0,0 +1,39 @@
+name: Cargo Audit
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - '**.Cargo.toml'
+      - '**.Cargo.lock'
+      - '.github/workflows/cargo-audit.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - '**.Cargo.toml'
+      - '**.Cargo.lock'
+      - '.github/workflows/cargo-audit.yml'
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+
+permissions:
+    contents: read
+
+jobs:
+  cargo-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          submodules: true
+
+      - name: Run cargo-audit
+        uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}