diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 0000000..2d4f78a
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,38 @@
+name: Coverity Scan
+
+on: workflow_dispatch
+
+jobs:
+  latest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: update build environment
+        run: sudo apt-get update --fix-missing -y
+      - name: install prerequisites
+        run: sudo apt-get install -y zlib1g-dev
+      - name: Download Coverity Build Tool
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=michaelrsweet/pdfio" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+
+      - name: Build with cov-build
+        run: |
+          export PATH=`pwd`/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int make
+      - name: Submit the result to Coverity Scan
+        run: |
+          tar czvf pdfio-cov.tgz cov-int
+          curl \
+            --form project=ruby \
+            --form token=$TOKEN \
+            --form email=michael.r.sweet@gmail.com \
+            --form file=@pdfio-cov.tgz \
+            --form version="Master" \
+            --form description="Snapshot" \
+            "https://scan.coverity.com/builds?project=michaelrsweet%2Fpdfio"
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}