diff --git a/.fossa.yml b/.fossa.yml
index 6a959204a..16c31db02 100644
--- a/.fossa.yml
+++ b/.fossa.yml
@@ -7,12 +7,17 @@ project:
 telemetry:
   scope: 'off'
 
-# We need to specify it per-each package. See fossa_* branches.
-# targets:
-#   only:
-#     - type: pipenv
-#       path: path-here
-#
-# paths:
-#   only:
-#     - path-here
+# Scope the scan to the published gooddata-* workspace packages + the
+# generated gooddata-api-client. Each pyproject.toml is scanned independently
+# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py
+# is read by setuptools. Internal helpers (tests-support, scripts) are excluded.
+paths:
+  only:
+    - packages/gooddata-sdk
+    - packages/gooddata-pandas
+    - packages/gooddata-dbt
+    - packages/gooddata-fdw
+    - packages/gooddata-flight-server
+    - packages/gooddata-flexconnect
+    - packages/gooddata-pipelines
+    - gooddata-api-client
diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml
new file mode 100644
index 000000000..9f1d85e9a
--- /dev/null
+++ b/.github/workflows/fossa.yaml
@@ -0,0 +1,50 @@
+# (C) 2026 GoodData Corporation
+name: FOSSA scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch label to attach to the FOSSA scan.
+        required: false
+        default: master
+
+concurrency:
+  group: fossa-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  fossa:
+    name: FOSSA scan
+    runs-on:
+      group: infra1-runners-arc
+      labels: runners-small
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check that .fossa.yml exists
+        shell: bash
+        run: |
+          [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; }
+
+      - name: Workaround for "no targets found" error
+        shell: bash
+        run: |
+          [ -f ./requirements.txt ] || touch ./requirements.txt
+
+      - name: Run FOSSA analyze
+        uses: fossas/fossa-action@v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          branch: ${{ inputs.branch }}
+
+      - name: Run FOSSA test (policy gate)
+        uses: fossas/fossa-action@v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true