diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 006a6d31..15ad4d19 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -19,10 +19,3 @@ jobs:
       - uses: rustsec/audit-check@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-  cargo-deny:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: EmbarkStudios/cargo-deny-action@v2
-        with:
-          command: check advisories bans licenses sources
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
new file mode 100644
index 00000000..df4c5e41
--- /dev/null
+++ b/.github/workflows/deny.yml
@@ -0,0 +1,20 @@
+name: CI
+on: [push, pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@v4.2.2
+      - uses: EmbarkStudios/cargo-deny-action@v2.0.4
+        with:
+          command: check ${{ matrix.checks }}
+          arguments: --exclude addchain
diff --git a/Cargo.lock b/Cargo.lock
index 985791b9..0f23a43a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -793,7 +793,7 @@ dependencies = [
  "base64 0.22.1",
  "clap 4.5.27",
  "config",
- "dotenv",
+ "dotenvy",
  "flume",
  "futures",
  "hex",
@@ -2401,12 +2401,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
 
-[[package]]
-name = "dotenv"
-version = "0.15.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77c90badedccf4105eca100756a0b1289e191f6fcbdadd3cee1d2f614f97da8f"
-
 [[package]]
 name = "dotenvy"
 version = "0.15.7"
diff --git a/Cargo.toml b/Cargo.toml
index dc797579..d21c921a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -30,7 +30,7 @@ blake2 = "0.10.6"
 clap = "4.5.4"
 config = "0.14.0"
 dcap-rs = { git = "https://github.com/automata-network/dcap-rs.git" }
-dotenv = "0.15.0"
+dotenvy = "0.15.7"
 fastcrypto = "0.1.8"
 flume = "0.11.1"
 futures = "0.3.30"
diff --git a/atoma-bin/atoma_node.rs b/atoma-bin/atoma_node.rs
index f40c9913..1b2707d4 100644
--- a/atoma-bin/atoma_node.rs
+++ b/atoma-bin/atoma_node.rs
@@ -16,7 +16,6 @@ use atoma_state::{config::AtomaStateManagerConfig, AtomaState, AtomaStateManager
 use atoma_sui::{client::AtomaSuiClient, AtomaSuiConfig, SuiEventSubscriber};
 use atoma_utils::spawn_with_shutdown;
 use clap::Parser;
-use dotenv::dotenv;
 use futures::future::try_join_all;
 use hf_hub::{api::sync::ApiBuilder, Repo, RepoType};
 use sui_keys::keystore::FileBasedKeystore;
@@ -127,7 +126,7 @@ impl Config {
 /// async fn example() -> Result<()> {
 ///     let models = vec!["facebook/opt-125m".to_string()];
 ///     let revisions = vec!["main".to_string()];
-///     
+///
 ///     let tokenizers = initialize_tokenizers(&models, &revisions).await?;
 ///     Ok(())
 /// }
@@ -177,7 +176,7 @@ async fn initialize_tokenizers(
 async fn main() -> Result<()> {
     let _log_guards = setup_logging(LOGS).context("Failed to setup logging")?;
 
-    dotenv().ok();
+    dotenvy::dotenv().ok();
 
     let args = Args::parse();
     let config = Config::load(&args.config_path).await?;
diff --git a/atoma-service/Cargo.toml b/atoma-service/Cargo.toml
index 2106fad6..1dbd5666 100644
--- a/atoma-service/Cargo.toml
+++ b/atoma-service/Cargo.toml
@@ -19,7 +19,7 @@ axum = { workspace = true }
 base64 = { workspace = true }
 clap = { workspace = true }
 config = { workspace = true }
-dotenv = { workspace = true }
+dotenvy = { workspace = true }
 flume = { workspace = true }
 futures = { workspace = true }
 hex = { workspace = true }
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..f8a2c135
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,149 @@
+# This section is considered when running `cargo deny check advisories`
+# More documentation for the advisories section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+# Version of the advisory config. See https://github.com/EmbarkStudios/cargo-deny/pull/611
+version = 2
+# The path where the advisory database is cloned/fetched into
+db-path = "~/cargo/advisory-db"
+# The url of the advisory database to use
+db-urls = ["https://github.com/rustsec/advisory-db"]
+# The lint level for crates that have been yanked from their source registry
+yanked = "warn"
+# A list of advisory IDs to ignore. Note that ignored advisories will still
+# output a note when they are encountered.
+ignore = [
+	# These are all related to the sui SDK, which is outside of our control
+	# derivative is not maintained
+	"RUSTSEC-2024-0388",
+	# difference 2.0.0 is unmaintained
+	"RUSTSEC-2020-0095",
+	# we don't do RSA signing on Sui (only verifying for zklogin)
+	"RUSTSEC-2023-0071",
+	# allow yaml-rust being unmaintained
+	"RUSTSEC-2024-0320",
+	# allow unmaintained proc-macro-error used in transitive dependencies
+	"RUSTSEC-2024-0370",
+]
+# Threshold for security vulnerabilities, any vulnerability with a CVSS score
+# lower than the range specified will be ignored. Note that ignored advisories
+# will still output a note when they are encountered.
+# * None - CVSS Score 0.0
+# * Low - CVSS Score 0.1 - 3.9
+# * Medium - CVSS Score 4.0 - 6.9
+# * High - CVSS Score 7.0 - 8.9
+# * Critical - CVSS Score 9.0 - 10.0
+#severity-threshold =
+
+# This section is considered when running `cargo deny check licenses`
+# More documentation for the licenses section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
+[licenses]
+# Version of the license config. See https://github.com/EmbarkStudios/cargo-deny/pull/611
+version = 2
+# List of explicitly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
+allow = [
+	"Apache-2.0 WITH LLVM-exception",
+	"Apache-2.0",
+	"BSD-2-Clause",
+	"BSD-3-Clause",
+	"ISC",
+	"MIT",
+	"MPL-2.0",
+	"BSL-1.0",
+	"OpenSSL",
+	"CC0-1.0",
+	"Unlicense",
+	"Unicode-3.0",
+	"Zlib",
+]
+# The confidence threshold for detecting a license from license text.
+# The higher the value, the more closely the license text must be to the
+# canonical license text of a valid SPDX license file.
+# [possible values: any between 0.0 and 1.0].
+confidence-threshold = 0.8
+# Allow 1 or more licenses on a per-crate basis, so that particular licenses
+# aren't accepted for every possible crate as with the normal allow list
+exceptions = [
+
+	{ allow = [
+		"MIT",
+	], name = "addchain" },
+	{ allow = [
+		"MIT",
+	], name = "anemo" },
+	{ allow = [
+		"MIT",
+	], name = "addr2line" },
+]
+
+# Some crates don't have (easily) machine readable licensing information,
+# adding a clarification entry for it allows you to manually specify the
+# licensing information
+[[licenses.clarify]]
+name = "ring"
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
+
+[licenses.private]
+# If true, ignores workspace crates that aren't published, or are only
+# published to private registries
+ignore = false
+# One or more private registries that you might publish crates to, if a crate
+# is only published to private registries, and ignore is true, the crate will
+# not have its license(s) checked
+#registries = [
+#]
+
+# This section is considered when running `cargo deny check bans`.
+# More documentation about the 'bans' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "warn"
+# The graph highlighting used when creating dotgraphs for crates
+# with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+# List of crates that are allowed. Use with care!
+#allow = [
+#]
+# List of crates to deny
+#deny = [
+#]
+# Certain crates/versions that will be skipped when doing duplicate detection.
+#skip = [
+#]
+# Similarly to `skip` allows you to skip certain crates during duplicate
+# detection. Unlike skip, it also includes the entire tree of transitive
+# dependencies starting at the specified crate, up to a certain depth, which is
+# by default infinite
+#skip-tree = [
+#]
+
+# This section is considered when running `cargo deny check sources`.
+# More documentation about the 'sources' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+# Lint level for what to happen when a crate from a crate registry that is not
+# in the allow list is encountered
+unknown-registry = "deny"
+# Lint level for what to happen when a crate from a git repository that is not
+# in the allow list is encountered
+unknown-git = "deny"
+# List of URLs for allowed crate registries. Defaults to the crates.io index
+# if not specified. If it is specified but empty, no registries are allowed.
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# List of URLs for allowed Git repositories
+# Allow the mysten labs repositories for Sui
+allow-git = [
+	"https://github.com/asonnino/prometheus-parser",
+	"https://github.com/zhiburt/tabled",
+]
+
+[sources.allow-org]
+github = ["mystenmark", "bmwill", "mystenlabs", "nextest-rs", "rustls"]