diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index a7f37d2710e..9c4c5341418 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -58,6 +58,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 60aef5142f6..e1529303615 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -14,4 +14,5 @@ dependencies {
     implementation libs.tomlj
     implementation libs.japicmp.gradle.plugin
     implementation libs.native.gradle.plugin
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io/micronaut/build/internal/io.micronaut.build.internal.convention-core-library.gradle b/buildSrc/src/main/groovy/io/micronaut/build/internal/io.micronaut.build.internal.convention-core-library.gradle
index 17fc6a7b9fb..4b3f777468a 100644
--- a/buildSrc/src/main/groovy/io/micronaut/build/internal/io.micronaut.build.internal.convention-core-library.gradle
+++ b/buildSrc/src/main/groovy/io/micronaut/build/internal/io.micronaut.build.internal.convention-core-library.gradle
@@ -1,3 +1,14 @@
 plugins {
     id "io.micronaut.build.internal.convention-library"
+    id("org.sonatype.gradle.plugins.scan")
 }
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+ossIndexAudit {
+    username = ossIndexUsername
+    password = ossIndexPassword
+}
+}
+
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 725f0398c5c..2ff1bba0e87 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -84,6 +84,7 @@ managed-reactor = "3.6.10"
 managed-snakeyaml = "2.2"
 managed-java-parser-core = "3.26.3"
 managed-ksp = "1.9.25-1.0.20"
+sonatype-scan = "2.8.3"
 micronaut-docs = "2.0.0"
 
 [libraries]
@@ -164,6 +165,7 @@ managed-reactor-test = { module = "io.projectreactor:reactor-test", version.ref
 
 managed-snakeyaml = { module = "org.yaml:snakeyaml", version.ref = "managed-snakeyaml" }
 
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
 #
 # Other libraries are used by Micronaut but will not appear in the BOM
 #