diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
new file mode 100644
index 0000000000..69e1381b5b
--- /dev/null
+++ b/.github/workflows/cargo-audit.yml
@@ -0,0 +1,12 @@
+name: Run cargo-audit
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c38b7cc1a3..896bf764d0 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -47,7 +47,7 @@ jobs:
         curl -L https://github.com/EmbarkStudios/cargo-deny/releases/download/0.8.5/cargo-deny-0.8.5-x86_64-unknown-linux-musl.tar.gz | tar xzf -
         mv cargo-deny-*-x86_64-unknown-linux-musl/cargo-deny cargo-deny
         echo `pwd` >> $GITHUB_PATH
-    - run: cargo deny check
+    - run: cargo deny check bans licenses
 
   doc:
     name: Doc build
@@ -458,21 +458,6 @@ jobs:
         files: "dist/*"
         token: ${{ secrets.GITHUB_TOKEN }}
 
-  cargo-audit:
-    env:
-      CARGO_AUDIT_VERSION: 0.11.2
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/cache@v1
-      with:
-        path: ${{ runner.tool_cache }}/cargo-audit
-        key: cargo-audit-bin-${{ env.CARGO_AUDIT_VERSION }}
-    - run: echo "${{ runner.tool_cache }}/cargo-audit/bin" >> $GITHUB_PATH
-    - run: |
-        cargo install --root ${{ runner.tool_cache }}/cargo-audit --version ${{ env.CARGO_AUDIT_VERSION }} cargo-audit
-        cargo audit
-
   verify-publish:
     runs-on: ubuntu-latest
     steps:
diff --git a/deny.toml b/deny.toml
index 0b6df1e954..1bfbbf46c8 100644
--- a/deny.toml
+++ b/deny.toml
@@ -8,13 +8,6 @@ targets = [
     { triple = "aarch64-linux-android" },
 ]
 
-# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
-[advisories]
-vulnerability = "deny"
-unmaintained = "deny"
-yanked = "deny"
-ignore = []
-
 # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
 allow = [
diff --git a/docs/contributing-release-process.md b/docs/contributing-release-process.md
index fad3eaa02e..89b428e5f1 100644
--- a/docs/contributing-release-process.md
+++ b/docs/contributing-release-process.md
@@ -10,6 +10,8 @@ made (there's also not really a body governing these decisions, it's more
 whimsical currently, or on request from others) then the following steps need to
 be executed to make the release:
 
+1. Double-check that there are no open [rustsec advisory
+   issues][rustsec-issues] on the Wasmtime repository.
 1. `git pull` - make sure you've got the latest changes
 1. Run `rustc scripts/publish.rs`
 1. Run `./publish bump`
@@ -31,3 +33,5 @@ be executed to make the release:
     a bit between runs of the script.
 
 And that's it, then you've done a Wasmtime release.
+
+[rustsec-issues]: https://github.com/bytecodealliance/wasmtime/issues?q=RUSTSEC+is%3Aissue+is%3Aopen+