diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
index e284483..ea39c5a 100644
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -7,6 +7,9 @@ on:
         description: 'Node.js version to use'
         type: string
         default: '22.1.0'
+    secrets:
+      fossa-api-key:
+        description: 'API key used for Fossa scan'
 
 jobs:
   commit-lint:
@@ -26,7 +29,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: node-modules-cache
         with:
           path: '**/node_modules'
@@ -55,7 +58,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: node-modules-cache
         with:
           path: '**/node_modules'
@@ -84,7 +87,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: node-modules-cache
         with:
           path: '**/node_modules'
@@ -113,7 +116,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: node-modules-cache
         with:
           path: '**/node_modules'
@@ -126,7 +129,7 @@ jobs:
         run: npm ci
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -136,6 +139,39 @@ jobs:
           ignore-unfixed: true
           scanners: 'vuln' # Only scan for vulnerabilities, not secrets
 
+  fossa-scan:
+    name: License - Fossa Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: 'npm'
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        id: node-modules-cache
+        with:
+          path: '**/node_modules'
+          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-modules-
+
+      - name: Install dependencies
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Run Fossa Analysis
+        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
+        with:
+          api-key: ${{ secrets.fossa-api-key }}
+          branch: ${{ github.head_ref || github.ref_name }}
+          project: BitGo/advanced-wallets
+
   test:
     name: Test
     runs-on: ubuntu-latest
@@ -150,7 +186,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: node-modules-cache
         with:
           path: '**/node_modules'
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index 3bcb6f0..d877358 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -15,3 +15,5 @@ jobs:
   build-and-test:
     name: Build & Test (CI)
     uses: ./.github/workflows/build-and-test.yaml
+    secrets:
+      fossa-api-key: ${{ secrets.FOSSA_API_KEY }}