diff --git a/config/tests/pom.xml b/config/tests/pom.xml
index 71be0b006..98f5862e8 100644
--- a/config/tests/pom.xml
+++ b/config/tests/pom.xml
@@ -35,6 +35,7 @@
         <maven.sources.skip>true</maven.sources.skip>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <spotbugs.skip>true</spotbugs.skip>
+        <dependency-check.skip>true</dependency-check.skip>
     </properties>
 
     <modules>
diff --git a/etc/copyright-exclude.txt b/etc/copyright-exclude.txt
index d5e2acea2..de21e6d18 100644
--- a/etc/copyright-exclude.txt
+++ b/etc/copyright-exclude.txt
@@ -46,3 +46,4 @@ archetype-resources/pom.xml
 src/main/java/org/jboss/weld/bean/proxy/ProxyFactory.java
 etc/THIRD_PARTY_LICENSES.xml
 etc/HELIDON_THIRD_PARTY_LICENSES.xml
+etc/dependency-check-suppression.xml
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
new file mode 100644
index 000000000..1bdf3c643
--- /dev/null
+++ b/etc/dependency-check-suppression.xml
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
+<!-- Applies to Oracle HTTP Server -->
+<suppress>
+   <notes><![CDATA[
+   file name: helidon-microprofile-server-2.1.0.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/io\.helidon\.microprofile\.server/helidon\-microprofile\-server@.*$</packageUrl>
+   <cpe>cpe:/a:oracle:http_server</cpe>
+</suppress>
+
+<!-- Applies to Processing:Processing -->
+<suppress>
+   <notes><![CDATA[
+   file name: jsonp-jaxrs-1.1.6.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish/jsonp\-jaxrs@.*$</packageUrl>
+   <cpe>cpe:/a:processing:processing</cpe>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.json-api-1.1.6.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/jakarta\.json/jakarta\.json\-api@.*$</packageUrl>
+   <cpe>cpe:/a:processing:processing</cpe>
+</suppress>
+
+<!-- We use snakeyaml for reading local configuration, so this CVE
+     does not apply to our use case. For more information:
+     https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
+     https://bitbucket.org/asomov/snakeyaml/wiki/Changes
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: snakeyaml-1.24.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+   <cve>CVE-2017-18640</cve>
+</suppress>
+
+<!-- weld-probe-core contains META-INF/client/probe.js which has some javascript
+     CVEs. This javascript appears to be for developement and is never served
+     by Helidon. So we exclude these CVEs
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2015-9251</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2018-14040</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2018-14041</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2018-14042</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2019-11358</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2019-8331</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2020-11022</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <cve>CVE-2020-11023</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: weld-probe-core-3.1.4.Final.jar: probe.js
+   ]]></notes>
+   <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
+   <vulnerabilityName>reDOS - regular expression denial of service</vulnerabilityName>
+</suppress>
+<!-- End of Weld/javascript related supressions -->
+
+<!-- This CVE is against the etcd server. We ship a Java client -->
+<suppress>
+   <notes><![CDATA[
+   file name: etcd4j-2.17.0.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
+   <cpe>cpe:/a:etcd:etcd</cpe>
+</suppress>
+
+<!-- This CVE is against the Java Websocket project.  Not the Jakarta WebSocket API.
+     See https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.websocket-api-1.1.2.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/jakarta\.websocket/jakarta\.websocket\-api@.*$</packageUrl>
+   <cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: javax.websocket-api-1.1.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/javax\.websocket/javax\.websocket\-api@.*$</packageUrl>
+   <cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
+</suppress>
+
+</suppressions>
diff --git a/etc/scripts/owasp-dependency-check.sh b/etc/scripts/owasp-dependency-check.sh
new file mode 100755
index 000000000..59c54499f
--- /dev/null
+++ b/etc/scripts/owasp-dependency-check.sh
@@ -0,0 +1,52 @@
+#!/bin/bash -e
+#
+# Copyright (c) 2020 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o pipefail || true  # trace ERR through pipes
+set -o errtrace || true # trace ERR through commands and functions
+set -o errexit || true  # exit the script if any statement returns a non-true return value
+
+on_error(){
+    CODE="${?}" && \
+    set +x && \
+    printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \
+        "${CODE}" "${BASH_SOURCE}" "${LINENO}" "${BASH_COMMAND}"
+}
+trap on_error ERR
+
+# Path to this script
+if [ -h "${0}" ] ; then
+    readonly SCRIPT_PATH="$(readlink "${0}")"
+else
+    readonly SCRIPT_PATH="${0}"
+fi
+
+# Path to the root of the workspace
+readonly WS_DIR=$(cd $(dirname -- "${SCRIPT_PATH}") ; cd ../.. ; pwd -P)
+
+readonly RESULT_FILE=$(mktemp -t XXXdependency-check-result)
+
+source ${WS_DIR}/etc/scripts/pipeline-env.sh
+
+die(){ cat ${RESULT_FILE} ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;}
+
+mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate \
+        -f ${WS_DIR}/pom.xml \
+        -Dtop.parent.basedir="${WS_DIR}" \
+        > ${RESULT_FILE} || die "Error running the Maven command"
+
+grep -i "One or more dependencies were identified with known vulnerabilities" ${RESULT_FILE} \
+    && die "CVE SCAN ERROR" || echo "CVE SCAN OK"
diff --git a/examples/pom.xml b/examples/pom.xml
index 4d99e3d3f..6956b328d 100644
--- a/examples/pom.xml
+++ b/examples/pom.xml
@@ -35,6 +35,7 @@
         <maven.sources.skip>true</maven.sources.skip>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <spotbugs.skip>true</spotbugs.skip>
+        <dependency-check.skip>true</dependency-check.skip>
     </properties>
 
     <modules>
diff --git a/microprofile/tests/pom.xml b/microprofile/tests/pom.xml
index 34d4a17f1..5afed1b01 100644
--- a/microprofile/tests/pom.xml
+++ b/microprofile/tests/pom.xml
@@ -36,6 +36,7 @@
         <maven.sources.skip>true</maven.sources.skip>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <spotbugs.skip>true</spotbugs.skip>
+        <dependency-check.skip>true</dependency-check.skip>
     </properties>
 
     <modules>
diff --git a/pom.xml b/pom.xml
index 7c801a4e5..bd950db35 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,6 +45,7 @@
         <spotbugs.skip>false</spotbugs.skip>
         <spotbugs.threshold>Medium</spotbugs.threshold>
 
+        <dependency-check.skip>false</dependency-check.skip>
         <checkstyle.skip>false</checkstyle.skip>
         <!--
         !Version statement! - begin
@@ -112,6 +113,7 @@
         <version.plugin.shade>3.0.0</version.plugin.shade>
         <version.plugin.source>3.0.1</version.plugin.source>
         <version.plugin.spotbugs>3.1.12</version.plugin.spotbugs>
+        <version.plugin.dependency-check>6.0.2</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0-M5</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>
@@ -491,13 +493,44 @@
                         <xmlOutput>true</xmlOutput>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${version.plugin.dependency-check}</version>
+                    <configuration>
+                        <skip>${dependency-check.skip}</skip>
+                        <skipTestScope>true</skipTestScope>
+                        <failBuildOnAnyVulnerability>false</failBuildOnAnyVulnerability>
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <excludes>
+                            <!-- Exclude stuff we do not deploy -->
+                            <exclude>io.helidon.tracing:helidon-tracing-tests</exclude>
+                            <exclude>io.helidon.config.tests*</exclude>
+                            <exclude>io.helidon.test*</exclude>
+                            <exclude>io.helidon.examples*</exclude>
+                            <exclude>io.helidon.microprofile.tests*</exclude>
+                            <!-- This should be excluded by above, but for some reason it persists -->
+                            <exclude>org.testng:testng</exclude>
+                        </excludes>
+                        <formats>
+                            <format>HTML</format>
+                            <format>CSV</format>
+                        </formats>
+                        <suppressionFiles>
+                            <!--suppress UnresolvedMavenProperty -->
+                            <suppressionFile>${top.parent.basedir}/etc/dependency-check-suppression.xml</suppressionFile>
+                        </suppressionFiles>
+                    </configuration>
+                </plugin>
                 <plugin>
                     <groupId>org.xolstice.maven.plugins</groupId>
                     <artifactId>protobuf-maven-plugin</artifactId>
                     <version>${version.plugin.protobuf}</version>
                     <configuration>
+                        <!--suppress UnresolvedMavenProperty -->
                         <protocArtifact>com.google.protobuf:protoc:3.5.1-1:exe:${os.detected.classifier}</protocArtifact>
                         <pluginId>grpc-java</pluginId>
+                        <!--suppress UnresolvedMavenProperty -->
                         <pluginArtifact>
                             io.grpc:protoc-gen-grpc-java:${version.lib.grpc}:exe:${os.detected.classifier}
                         </pluginArtifact>
@@ -1146,6 +1179,24 @@ helidon-parent,helidon-dependencies,helidon-bom,helidon-se,helidon-mp,io.grpc,he
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
         <profile>
             <id>checkstyle</id>
             <build>
diff --git a/tests/pom.xml b/tests/pom.xml
index dd4b20903..f9e87e5b3 100644
--- a/tests/pom.xml
+++ b/tests/pom.xml
@@ -38,6 +38,7 @@
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <spotbugs.skip>true</spotbugs.skip>
         <checkstyle.skip>true</checkstyle.skip>
+        <dependency-check.skip>true</dependency-check.skip>
     </properties>
 
     <modules>
diff --git a/tracing/tests/pom.xml b/tracing/tests/pom.xml
index a4704c941..954a7fae9 100644
--- a/tracing/tests/pom.xml
+++ b/tracing/tests/pom.xml
@@ -37,5 +37,6 @@
         <maven.sources.skip>true</maven.sources.skip>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <spotbugs.skip>true</spotbugs.skip>
+        <dependency-check.skip>true</dependency-check.skip>
     </properties>
 </project>