diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 00000000..7b7a74de
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,103 @@
+---
+name: Faux Scan
+
+on:
+  pull_request:
+    branches: ["main"]
+    types:
+      - synchronize
+      - labeled
+
+jobs:
+  on-labeled-pr:
+    if: ${{ contains(github.event.action, 'labeled') && contains(github.event.*.labels.*.name, 'covscan') }}
+    name: Coverity Scan on PR
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    container: fedora:latest
+    steps:
+      - name: Install Dependencies
+        run: |
+            dnf -y install git gcc meson pkgconf-pkg-config \
+                openssl-devel openssl \
+                nss-softokn nss-tools nss-softokn-devel \
+                gh
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{github.event.pull_request.head.sha}}
+      - name: Setup
+        run: |
+          meson setup builddir
+        env:
+          CC: gcc
+      - name: Coverity Scan
+        uses: vapier/coverity-scan-action@v1
+        with:
+          project: "PKCS%2311+Provider"
+          email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+          token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+      - name: Remove Label
+        if: always()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+        run: gh pr edit "$NUMBER" --remove-label "covscan"
+
+  on-no-covscan-labeled-pr:
+    if: ${{ contains(github.event.action, 'labeled') && contains(github.event.*.labels.*.name, 'covscan-ok') }}
+    name: Coverity Scan on PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Coverity Scan not needed
+        run: echo "Dummy action to report all ok and mark covscan as handled"
+
+  on-synchronize-no-source-changes:
+    if: ${{ contains(github.event.action, 'synchronize') && ! contains(github.event.*.labels.*.name, 'covscan-ok') }}
+    name: Coverity Scan on PR
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check changed files
+        id: changed-sources
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            src/**
+      - name: Coverity Scan not needed
+        if: steps.changed-sources.outputs.any_changed == 'false'
+        run: |
+          echo "No Source files changed, no covscan needed"
+      - name: Coverity Scan is needed
+        if: steps.changed-sources.outputs.any_changed == 'true'
+        run: |
+          echo "Source files changed, covscan is needed"
+
+  on-synchronize-covscan-ok:
+    if: ${{ contains(github.event.action, 'synchronize') && contains(github.event.*.labels.*.name, 'covscan-ok') }}
+    name: Coverity Scan on PR
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check changed files
+        id: changed-sources
+        uses: tj-actions/changed-files@v44
+        with:
+          base_sha: ${{ github.event.before }}
+          files: |
+            src/**
+        continue-on-error: true
+      - name: Coverity Scan not needed
+        if: ${{ steps.changed-sources.outcome == 'success' &&  steps.changed-sources.outputs.any_changed == 'false' }}
+        run: echo "Dummy action to report all ok and mark covscan as handled"
+      - name: Coverity Scan is needed
+        if: ${{ steps.changed-sources.outcome == 'failure' || steps.changed-sources.outputs.any_changed == 'true' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+        run: |
+          gh pr edit "$NUMBER" --remove-label "covscan"
+          false