diff --git a/.github/repository-settings.md b/.github/repository-settings.md
index 464147983..c7c198ab7 100644
--- a/.github/repository-settings.md
+++ b/.github/repository-settings.md
@@ -22,9 +22,8 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
-  - Generated at <https://nvd.nist.gov/developers/request-an-api-key>
-  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask)
+- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_KEY` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_USER` - owned by [@trask](https://github.com/trask)
 
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
index 914475be9..98d898b75 100644
--- a/.github/workflows/owasp-dependency-check-daily.yml
+++ b/.github/workflows/owasp-dependency-check-daily.yml
@@ -1,6 +1,6 @@
 # the benefit of this over renovate is that this also analyzes transitive dependencies
 # while renovate (at least currently) only analyzes top-level dependencies
-name: OWASP dependency check (daily)
+name: OSS Index dependency audit (daily)
 
 on:
   schedule:
@@ -22,22 +22,22 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Increase gradle daemon heap size
-        run: |
-          sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
-
       - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
-      - run: ./gradlew dependencyCheckAnalyze
+      - run: ./gradlew ossIndexAudit
+        id: audit
+        continue-on-error: true
         env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
+          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
-      - name: Upload report
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          path: "**/build/reports"
+      - name: Print vulnerability report
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "=== OSS Index Vulnerability Report ==="
+          cat oss-index-cyclonedx-bom.json
+          exit 1
 
   workflow-notification:
     permissions:
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
index 32dfaa779..71da9a7a3 100644
--- a/buildSrc/build.gradle.kts
+++ b/buildSrc/build.gradle.kts
@@ -15,7 +15,7 @@ dependencies {
   implementation("com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.3.0")
   implementation("net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:5.1.0")
   implementation("net.ltgt.nullaway:net.ltgt.nullaway.gradle.plugin:3.0.0")
-  implementation("org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.2.0")
+  implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4")
   implementation("ru.vyarus.animalsniffer:ru.vyarus.animalsniffer.gradle.plugin:2.0.1")
   implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:4.3.2")
   implementation("me.champeau.gradle.japicmp:me.champeau.gradle.japicmp.gradle.plugin:0.4.6")
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 08211234e..a55d65f88 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -8,7 +8,7 @@ plugins {
   id("otel.errorprone-conventions")
   id("otel.spotless-conventions")
   id("otel.japicmp-conventions")
-  id("org.owasp.dependencycheck")
+  id("org.sonatype.gradle.plugins.scan")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -217,10 +217,8 @@ afterEvaluate {
   }
 }
 
-dependencyCheck {
-  scanConfigurations = mutableListOf("runtimeClasspath")
-  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
-  failBuildOnCVSS = 7.0f // fail on high or critical CVE
-  nvd.apiKey = System.getenv("NVD_API_KEY")
-  nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
+ossIndexAudit {
+  username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
+  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
+  outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
 }
diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml
deleted file mode 100644
index a808ebe9f..000000000
--- a/buildscripts/dependency-check-suppressions.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <!-- this package is misidentified by OWASP as an Android app named "Wire" -->
-    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire-runtime-jvm@.*$</packageUrl>
-    <cpe>cpe:/a:wire:wire</cpe>
-  </suppress>
-  <suppress>
-    <!-- this package is misidentified by OWASP as Prometheus server -->
-    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry-exporter-prometheus@.*$</packageUrl>
-    <cpe>cpe:/a:prometheus:prometheus</cpe>
-  </suppress>
-</suppressions>
diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
index dce920530..600068d41 100644
--- a/custom-checks/build.gradle.kts
+++ b/custom-checks/build.gradle.kts
@@ -80,8 +80,3 @@ configurations {
     }
   }
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}