diff --git a/.github/workflows/changes.yml b/.github/workflows/changes.yml
index f480bac6265e4..7bf03d0c2a8a0 100644
--- a/.github/workflows/changes.yml
+++ b/.github/workflows/changes.yml
@@ -149,9 +149,6 @@ jobs:
             - "Makefile"
             - "rust-toolchain.toml"
             - "vdev/**"
-          deny:
-            - 'deny.toml'
-            - "vdev/**"
           dependencies:
             - ".cargo/**"
             - 'Cargo.toml'
diff --git a/.github/workflows/comment-trigger.yml b/.github/workflows/comment-trigger.yml
index 59ec98530a7ba..5f3c7b0cce843 100644
--- a/.github/workflows/comment-trigger.yml
+++ b/.github/workflows/comment-trigger.yml
@@ -9,6 +9,7 @@
 # /ci-run-all                 : runs all of the below
 # /ci-run-cli                 : runs CLI - Linux
 # /ci-run-misc                : runs Miscellaneous - Linux
+# /ci-run-deny                : runs Deny - Linux
 # /ci-run-component-features  : runs Component Features - Linux
 # /ci-run-cross               : runs Cross
 # /ci-run-unit-mac            : runs Unit - Mac
@@ -50,6 +51,7 @@ jobs:
       github.event.issue.pull_request && ( contains(github.event.comment.body, '/ci-run-all')
           || contains(github.event.comment.body, '/ci-run-cli')
           || contains(github.event.comment.body, '/ci-run-misc')
+          || contains(github.event.comment.body, '/ci-run-deny')
           || contains(github.event.comment.body, '/ci-run-component-features')
           || contains(github.event.comment.body, '/ci-run-cross')
           || contains(github.event.comment.body, '/ci-run-unit-mac')
@@ -89,6 +91,12 @@ jobs:
     uses: ./.github/workflows/misc.yml
     secrets: inherit
 
+  deny:
+    needs: validate
+    if: contains(github.event.comment.body, '/ci-run-all') || contains(github.event.comment.body, '/ci-run-deny')
+    uses: ./.github/workflows/deny.yml
+    secrets: inherit
+
   component-features:
     needs: validate
     if: contains(github.event.comment.body, '/ci-run-all') || contains(github.event.comment.body, '/ci-run-component-features')
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
new file mode 100644
index 0000000000000..f0040b68fb639
--- /dev/null
+++ b/.github/workflows/deny.yml
@@ -0,0 +1,74 @@
+# Deny - Linux
+#
+# Checks for security vulnerabilities or license incompatibilities
+#
+# Runs on:
+#  - scheduled UTC midnight
+#  - on PR comment (see comment-trigger.yml)
+#  - on demand from github actions UI
+
+name: Deny - Linux
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  schedule:
+    # At midnight UTC
+    - cron: '0 0 * * *'
+
+jobs:
+  test-deny:
+    runs-on: ubuntu-latest
+    env:
+      CARGO_INCREMENTAL: 0
+    steps:
+      - name: (PR comment) Get PR branch
+        if: ${{ github.event_name == 'issue_comment' }}
+        uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+
+      - name: (PR comment) Set latest commit status as pending
+        if: ${{ github.event_name == 'issue_comment' }}
+        uses: myrotvorets/set-commit-status-action@v2.0.0
+        with:
+          sha: ${{ steps.comment-branch.outputs.head_sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          context: Deny - Linux
+          status: pending
+
+      - name: (PR comment) Checkout PR branch
+        if: ${{ github.event_name == 'issue_comment' }}
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_ref }}
+
+      - name: Checkout branch
+        if: ${{ github.event_name != 'issue_comment' }}
+        uses: actions/checkout@v3
+
+      - uses: actions/cache@v3
+        name: Cache Cargo registry + index
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: bash scripts/environment/prepare.sh
+      - run: echo "::add-matcher::.github/matchers/rust.json"
+      - name: Check cargo deny advisories/licenses
+        run: make check-deny
+
+      - name: (PR comment) Set latest commit status as ${{ job.status }}
+        uses: myrotvorets/set-commit-status-action@v2.0.0
+        if: always() && github.event_name == 'issue_comment'
+        with:
+          sha: ${{ steps.comment-branch.outputs.head_sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          context: Deny - Linux
+          status: ${{ job.status }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index dda403b3b6030..30a430fd1348b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -94,10 +94,6 @@ jobs:
         if: needs.changes.outputs.source == 'true'
         run: make check-events
 
-      - name: Check cargo deny advisories/licenses
-        if: needs.changes.outputs.dependencies == 'true' || needs.changes.outputs.deny == 'true'
-        run: make check-deny
-
       - name: Check that the 3rd-party license file is up to date
         if: needs.changes.outputs.dependencies == 'true'
         run: make check-licenses