diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
new file mode 100644
index 000000000..834bf58cb
--- /dev/null
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,37 @@
+name: govulncheck
+
+on:
+  schedule:
+    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
+  workflow_dispatch: # allow manual trigger for testing
+  pull_request:
+    paths:
+      - ".github/workflows/govulncheck.yml"
+
+jobs:
+  source-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Install govulncheck
+        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Scan source code for known vulnerabilities
+        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
+
+      - uses: ruby/action-slack@v3.2.1
+        with:
+          payload: >
+            {
+              "attachments": [{
+                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
+                        (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
+                "color": "danger"
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: failure() && github.event_name == 'schedule'