diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 8d41852cf874bae6be6e329101097ee2c8373917..7ef010f1dffb8e2ba4d0732ce68da5b3dc9946aa 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -56,3 +56,6 @@ jobs:
 
       - name: Check Security (vulnerable dependencies and insecure practices)
         run: make secure
+
+      - name: Check that all included packages have acceptable OSS licenses
+        run: make lint
diff --git a/.lichen.yaml b/.lichen.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6f2bbb01c74f4f46ca9782ecad328bfa018c258a
--- /dev/null
+++ b/.lichen.yaml
@@ -0,0 +1,21 @@
+---
+# Configuration for the Lichen software license scanner.  The list below
+# represents the licenses that are currently compiled into the git-bug
+# binary (with the exception of the GPL license which is git-bug's own
+# license and is therefore compatible.)  Licenses can be added to the
+# "allow" list using the official identifiers from the SPDX License
+# List which can be found at https://spdx.org/licenses/.
+#
+# The Lichen configuration file format allows overrides (for packages
+# where the license can't be automatically discovered) and exceptions
+# (to allow disallowed licenses for certain packages).  The format for
+# this file can be found at https://github.com/uw-labs/lichen#config.
+
+allow:
+- "Apache-2.0"
+- "BSD-2-Clause"
+- "BSD-3-Clause"
+- "GPL-3.0-or-later"
+- "ISC"
+- "MIT"
+- "MPL-2.0"
diff --git a/Makefile b/Makefile
index 2d12a016d3358dc6ce4d5b33e841eba4934d5e76..9a675bc231f61f8e81293da01204a58b7653963a 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,10 @@ secure-vulnerabilities:
 	go install golang.org/x/vuln/cmd/govulncheck@latest
 	govulncheck ./... 
 
+legal: build
+	go install github.com/uw-labs/lichen@latest
+	lichen --config=.lichen.yaml ./git-bug
+
 test:
 	go test -v -bench=. ./...