diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index 571e79a24..9bebc3e30 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"
@@ -58,6 +60,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index aff3316ce..798901b95 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -10,4 +10,5 @@ repositories {
 dependencies {
     implementation(libs.gradle.graal)
     implementation(libs.gradle.kotlin)
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.cache-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.cache-module.gradle
index ea01979ea..626531d5d 100644
--- a/buildSrc/src/main/groovy/io.micronaut.build.internal.cache-module.gradle
+++ b/buildSrc/src/main/groovy/io.micronaut.build.internal.cache-module.gradle
@@ -1,4 +1,17 @@
 plugins {
     id 'io.micronaut.build.internal.module'
     id 'io.micronaut.build.internal.cache-base'
+    id("org.sonatype.gradle.plugins.scan")
 }
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+logger.quiet("sonatypePluginConfigured: {} ossIndexUsername: {} ossIndexPassword: {}",  sonatypePluginConfigured, ossIndexUsername != null, ossIndexPassword != null)
+if (sonatypePluginConfigured) {
+ossIndexAudit {
+    username = ossIndexUsername
+    password = ossIndexPassword
+    excludeCompileOnly = true
+}
+}
+
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 2cd82664c..083ace80e 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -20,8 +20,9 @@ micronaut-test-resources = "2.7.0"
 micronaut-validation = "4.8.0"
 graal-svm = "23.1.5"
 graal-plugin = "0.10.4"
+micronaut-logging = "1.5.1"
+sonatype-scan = "2.8.3"
 
-micronaut-logging = "1.4.0"
 [libraries]
 # Core
 micronaut-core = { module = 'io.micronaut:micronaut-core-bom', version.ref = 'micronaut' }
@@ -47,5 +48,6 @@ testcontainers-junit = { module = "org.testcontainers:junit-jupiter" }
 testcontainers-spock = { module = "org.testcontainers:spock" }
 graal-svm = { module = "org.graalvm.nativeimage:svm", version.ref = "graal-svm" }
 spock-core = { module = "org.spockframework:spock-core", version.ref = "spock" }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
 gradle-kotlin = { module = "org.jetbrains.kotlin:kotlin-gradle-plugin", version.ref = "kotlin" }
 gradle-graal = { module = "org.graalvm.buildtools.native:org.graalvm.buildtools.native.gradle.plugin", version.ref = "graal-plugin" }