diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
new file mode 100644
index 0000000..a5fee80
--- /dev/null
+++ b/.github/workflows/supply-chain.yml
@@ -0,0 +1,34 @@
+name: Supply Chain Verification
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+  schedule:
+    - cron: '0 6 * * 1'  # weekly on Monday
+
+jobs:
+  npm-provenance:
+    name: npm audit signatures
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - run: pnpm install --frozen-lockfile
+      - run: npm audit signatures
+
+  cargo-deny:
+    name: cargo deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          manifest-path: apps/contracts/Cargo.toml
+          command: check
+          arguments: --config apps/contracts/deny.toml
diff --git a/apps/contracts/deny.toml b/apps/contracts/deny.toml
new file mode 100644
index 0000000..41e3876
--- /dev/null
+++ b/apps/contracts/deny.toml
@@ -0,0 +1,24 @@
+[advisories]
+version = 2
+db-urls = ["https://github.com/rustsec/advisory-db"]
+ignore = []
+
+[licenses]
+version = 2
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "ISC",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]