diff --git a/.fossa.yml b/.fossa.yml
deleted file mode 100644
index 2b7505a1a2..0000000000
--- a/.fossa.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: 3
-
-project:
-  id: github.com/replicatedhq/kots
-
-targets:
-  only:
-    - type: yarn
-      path: web
-    - type: gomod
-      path: .
diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml
deleted file mode 100644
index 713691a15a..0000000000
--- a/.github/workflows/fossa.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: FOSSA license scan
-
-on:
-  pull_request_target: # this is safe as these scans do not execute provided code
-    branches:
-      - main
-    paths:
-      - go.sum
-      - web/yarn.lock
-
-  push:
-    branches:
-      - main
-
-jobs:
-  fossa-scan-pr:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: refs/pull/${{ github.event.number }}/merge
-      - name: "Install FOSSA" 
-        uses: replicatedhq/action-fossa/install@main
-      - name: "Run FOSSA Scan"
-        uses: replicatedhq/action-fossa/scan@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          diff: true
-          diff-ref: ${{ github.event.pull_request.base.sha }}
-          debug: true
-
-  fossa-scan-merge:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-      - id: previous
-        run: echo "sha=$(git rev-parse HEAD~1)" >> "${GITHUB_OUTPUT}"
-      - name: "Install FOSSA" 
-        uses: replicatedhq/action-fossa/install@main
-      - name: "Run FOSSA Scan"
-        uses: replicatedhq/action-fossa/scan@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          diff: true
-          diff-ref: ${{ steps.previous.outputs.sha }}
-          debug: true
diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml
new file mode 100644
index 0000000000..f739f04489
--- /dev/null
+++ b/.github/workflows/license.yaml
@@ -0,0 +1,53 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  TRIVY_VERSION: 0.44.1
+
+name: License scan
+
+jobs:
+  license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+
+      - name: Install Go deps
+        run: go mod download
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+          cache-dependency-path: web/yarn.lock
+      
+      - name: Install Node.js deps
+        working-directory: web
+        run: yarn install
+
+      - name: Install trivy
+        run: |
+          wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb"
+          sudo dpkg -i "trivy_${TRIVY_VERSION}_Linux-64bit.deb"
+
+      - name: Create license report artifact
+        run: trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" . | tee license-report.txt
+
+      - name: Upload license report artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: license-report
+          path: license-report.txt
+
+      - name: Check for unknown licenses
+        run: |
+          trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity UNKNOWN . || echo "::warning::Unknown licenses found, please verify"
+
+      - name: Check for forbidden licenses and fail
+        run: trivy fs --scanners license  --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity CRITICAL,HIGH .
diff --git a/README.md b/README.md
index df5bf868cf..e9175b8029 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,5 @@
 [![Develop on Okteto](https://okteto.com/develop-okteto.svg)](https://replicated.okteto.dev/deploy?repository=https://github.com/replicatedhq/kots)
 [![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/replicatedhq/kots)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkots.svg?type=small)](https://app.fossa.com/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkots?ref=badge_small)
 
 # Kubernetes Off-The-Shelf (KOTS) Software
 Replicated KOTS is the collective set of tools that enable the distribution and management of Kubernetes Off-The-Shelf (KOTS) software. The Kots CLI (a Kubectl plugin) is a general purpose, client-side binary for configuring and building dynamic Kubernetes manifests. The Kots CLI also serves as the bootstrapper for the in-cluster Kubernetes application Admin Console [kotsadm](https://github.com/replicatedhq/kots/tree/main/kotsadm) which can be used to automate the core Kots CLI tasks for managing applications (license verification, configuration, updates, image renaming, version controlling changes, and deployment) as well as additional KOTS tasks (running preflight checks and performing support bundle analysis).