diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 0000000..18f3e09
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,37 @@
+name: Coverity Scan
+
+on:
+  push:
+    branches: [coverity_scan]
+
+jobs:
+  coverity:
+    if: github.repository == 'web-eid/web-eid-authtoken-validation-php'
+    runs-on: ubuntu-latest
+    env:
+      TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+      PROJECTNAME: 'web-eid/web-eid-authtoken-validation-php'
+    steps:
+    - uses: actions/checkout@v5
+    - name: Download Coverity Build Tool
+      run: |
+        curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/linux64
+        mkdir cov-analysis-linux64
+        tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+
+    - name: Build
+      run: |
+        export PATH=$PWD/cov-analysis-linux64/bin:$PATH
+        coverity capture --dir cov-int --project-dir . --file-include-regex '(^|/)(src|tests|example)/.*\.(php)$'
+
+    - name: Submit the result to Coverity Scan
+      run: |
+        tar czvf upload.tgz cov-int
+        curl --silent \
+          --form project=$PROJECTNAME \
+          --form token=$TOKEN \
+          --form email=eid-teenusehaldus@ria.ee \
+          --form file=@upload.tgz \
+          --form version=master \
+          --form description="Github Actions CI build" \
+          https://scan.coverity.com/builds?project=$PROJECTNAME