diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index f43d935..59f7ca2 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -22,9 +22,7 @@ jobs:
         with:
           components: clippy
       - uses: Swatinem/rust-cache@v2
-      - name: Dependency Licenses Review
-        run: cargo deny check
-      # https://doc.rust-lang.org/stable/clippy/continuous_integration/github_actions.html
+
       - name: Run Clippy
         run: cargo clippy --all-targets --all-features
       - name: Check for spelling errors
@@ -37,3 +35,6 @@ jobs:
           reporter: github-check
       # - name: Check if source code files have license header
       #   run: make check-license-headers
+      # this action runs pretty late, to collect previous errors when new advisories arive
+      - uses: EmbarkStudios/cargo-deny-action@v1
+      # https://doc.rust-lang.org/stable/clippy/continuous_integration/github_actions.html
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..f019e06
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,26 @@
+[bans]
+skip = [{ name = "base64" }, { name = "windows-sys" }]
+
+[graph]
+all-features = true
+
+[licenses]
+allow = [
+  "Apache-2.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "ISC",
+  "MIT",
+  "MPL-2.0",
+  "OpenSSL",
+  "Unlicense",
+]
+confidence-threshold = 1.0
+exceptions = [{ crate = "unicode-ident", allow = ["Unicode-DFS-2016"] }]
+clarify = [
+  # see https://github.com/briansmith/ring/blob/main/LICENSE for details
+  { crate = "ring", expression = "MIT AND ISC AND OpenSSL", license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+  ] },
+]
+unused-allowed-license = "allow"