diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml
new file mode 100644
index 000000000..008ce75f7
--- /dev/null
+++ b/.github/workflows/fossa.yaml
@@ -0,0 +1,18 @@
+name: FOSSA
+on:
+  push:
+jobs:
+  fossa:
+    name: FOSSA
+    # prevent job running from forked repository, otherwise
+    # 1. running on the forked repository would fail as missing necessary secret.
+    # 2. running on the forked repository would use unnecessary GitHub Action time.
+    if: ${{ github.repository == 'kurator-dev/kurator' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+      - name: Run FOSSA scan and upload build data
+        uses: fossas/fossa-action@v1
+        with:
+          api-key: ${{secrets.FOSSA_API_KEY}}