diff --git a/.github/workflows/cargo-deny-scheduled.yml b/.github/workflows/cargo-deny-scheduled.yml
new file mode 100644
index 00000000..192cf31a
--- /dev/null
+++ b/.github/workflows/cargo-deny-scheduled.yml
@@ -0,0 +1,41 @@
+name: Scheduled Advisory Scan
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+on:
+  schedule:
+    # Daily at 11:17 UTC — offset from Trivy (11:08) to spread advisory DB load.
+    - cron: '17 11 * * *'
+
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  cargo-deny-advisories:
+    name: cargo deny advisories
+    # Only run on the upstream repo, not forks — avoids hammering the RustSec DB.
+    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      # Run only the advisories check so duplicate/license noise doesn't obscure
+      # newly published CVEs. The full `cargo deny check` runs in build.yml on
+      # every push/PR; this job exists solely to catch new advisories between pushes.
+      - name: Run cargo deny (advisories only)
+        uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
+        with:
+          command: check advisories