diff --git a/.semaphore/fossa_scan.yml b/.semaphore/fossa_scan.yml
new file mode 100644
index 0000000000..4be769b2da
--- /dev/null
+++ b/.semaphore/fossa_scan.yml
@@ -0,0 +1,29 @@
+version: v1.0
+name: Run Fossa Scan
+
+agent:
+  machine:
+    type: f1-standard-2
+    os_image: ubuntu2204
+
+execution_time_limit:
+  minutes: 30
+
+blocks:
+  - name: "Trigger Fossa Scan"
+    skip:
+      # Only run on master or release branches, not PRs.
+      when: "(branch =~ 'master|release-.*') and (branch !~ '.+')"
+    dependencies: []
+    task:
+      prologue:
+        commands:
+          - "curl -fsSLH 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash"
+          - checkout
+          - retry git fetch --unshallow
+      jobs:
+        - name: "FOSSA scan"
+          commands:
+            - fossa analyze
+      secrets:
+        - name: foss-api-key
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index 3d54f2af95..7f3f1733c6 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -166,6 +166,10 @@ promotions:
     pipeline_file: release.yml
     auto_promote:
       when: "result = 'passed' AND tag =~ '^v'"
+  - name: Run Fossa scan
+    pipeline_file: fossa_scan.yml
+    auto_promote:
+      when: "branch =~ 'master|release-.*'"
   - name: Clean Up
     pipeline_file: clean_up.yml
     # Don't auto promote if this is master or a release branch so the cache is available for the Push Images pipeline.