diff --git a/.github/workflows/ci-owasp-dep-check.yaml b/.github/workflows/ci-owasp-dep-check.yaml
new file mode 100644
index 0000000000000..2677705deb518
--- /dev/null
+++ b/.github/workflows/ci-owasp-dep-check.yaml
@@ -0,0 +1,94 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: CI - Misc - OWASP Dependency Check
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - branch-*
+
+env:
+  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
+
+jobs:
+
+  owasp-dep-check:
+    name:
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: Tune Runner VM
+        uses: ./.github/actions/tune-runner-vm
+
+      - name: Detect changed pom files
+        id: changes
+        uses: apache/pulsar-test-infra/paths-filter@master
+        with:
+          filters: |
+            poms:
+              - 'pom.xml'
+              - '**/pom.xml'
+
+      - name: Cache local Maven repository
+        if: ${{ steps.changes.outputs.poms == 'true' }}
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.m2/repository/*/*/*
+            !~/.m2/repository/org/apache/pulsar
+          key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
+            ${{ runner.os }}-m2-dependencies-core-modules-
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        if: ${{ steps.changes.outputs.poms == 'true' }}
+        with:
+          distribution: 'temurin'
+          java-version: 11
+
+      - name: clean disk
+        if: ${{ steps.changes.outputs.poms == 'true' }}
+        run: |
+          sudo swapoff -a
+          sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc
+          sudo apt clean
+          docker rmi $(docker images -q) -f
+          df -h
+
+      # Projects dependent on flume, hdfs, hbase, and presto currently excluded from the scan.
+      - name: run "clean install verify" to trigger dependency check
+        if: ${{ steps.changes.outputs.poms == 'true' }}
+        run: mvn -q -B -ntp clean install verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
+
+      - name: Upload report
+        uses: actions/upload-artifact@v2
+        if: ${{ cancelled() || failure() }}
+        continue-on-error: true
+        with:
+          name: dependency report
+          path: target/dependency-check-report.html
diff --git a/distribution/io/pom.xml b/distribution/io/pom.xml
index b0abad738c67a..15fea18cd18fa 100644
--- a/distribution/io/pom.xml
+++ b/distribution/io/pom.xml
@@ -125,6 +125,31 @@
         </plugins>
       </build>
     </profile>
+    <!--
+    The only working way for OWASP dependency checker plugin
+    to exclude module when failBuildOnCVSS is used
+    in the root pom's plugin.
+    -->
+    <profile>
+      <id>owasp-dependency-check</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${dependency-check-maven.version}</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+                <phase>none</phase>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 
 </project>
diff --git a/distribution/pom.xml b/distribution/pom.xml
index ee0a3c32decd6..f8b1a484b99a4 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -53,7 +53,6 @@
         <module>server</module>
       </modules>
     </profile>
-
   </profiles>
 
   <build>
diff --git a/pom.xml b/pom.xml
index 86bc285f7b1d3..1412831470f60 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2326,6 +2326,7 @@ flexible messaging model and an intuitive client API.</description>
                 <suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-false-positives.xml</suppressionFile>
                 <suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-suppressions.xml</suppressionFile>
               </suppressionFiles>
+              <failBuildOnCVSS>7</failBuildOnCVSS>
               <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
               <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
               <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
diff --git a/pulsar-io/docs/pom.xml b/pulsar-io/docs/pom.xml
index 3b234fbf84720..c9a593a2685f9 100644
--- a/pulsar-io/docs/pom.xml
+++ b/pulsar-io/docs/pom.xml
@@ -215,5 +215,32 @@
       </plugin>
     </plugins>
   </build>
+  <profiles>
+    <!--
+    The only working way for OWASP dependency checker plugin
+    to exclude module when failBuildOnCVSS is used
+    in the root pom's plugin.
+    -->
+    <profile>
+      <id>owasp-dependency-check</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${dependency-check-maven.version}</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+                <phase>none</phase>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 
 </project>
diff --git a/pulsar-io/flume/pom.xml b/pulsar-io/flume/pom.xml
index dfa3047d8e628..881648f37e548 100644
--- a/pulsar-io/flume/pom.xml
+++ b/pulsar-io/flume/pom.xml
@@ -138,5 +138,32 @@
             </plugin>
         </plugins>
     </build>
+    <profiles>
+        <!--
+        The only working way for OWASP dependency checker plugin
+        to exclude module when failBuildOnCVSS is used
+        in the root pom's plugin.
+        -->
+        <profile>
+            <id>owasp-dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>${dependency-check-maven.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <phase>none</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 
 </project>
diff --git a/pulsar-io/hbase/pom.xml b/pulsar-io/hbase/pom.xml
index 4f8986541ebe7..21a95a77c799e 100644
--- a/pulsar-io/hbase/pom.xml
+++ b/pulsar-io/hbase/pom.xml
@@ -95,5 +95,32 @@
             </plugin>
         </plugins>
     </build>
+    <profiles>
+        <!--
+        The only working way for OWASP dependency checker plugin
+        to exclude module when failBuildOnCVSS is used
+        in the root pom's plugin.
+        -->
+        <profile>
+            <id>owasp-dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>${dependency-check-maven.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <phase>none</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 
 </project>
diff --git a/pulsar-io/hdfs2/pom.xml b/pulsar-io/hdfs2/pom.xml
index 903c386098923..984d22e26acda 100644
--- a/pulsar-io/hdfs2/pom.xml
+++ b/pulsar-io/hdfs2/pom.xml
@@ -92,5 +92,32 @@
       </plugin>
     </plugins>
   </build>
-  
+    <profiles>
+        <!--
+        The only working way for OWASP dependency checker plugin
+        to exclude module when failBuildOnCVSS is used
+        in the root pom's plugin.
+        -->
+        <profile>
+            <id>owasp-dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>${dependency-check-maven.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <phase>none</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
 </project>
\ No newline at end of file
diff --git a/pulsar-io/hdfs3/pom.xml b/pulsar-io/hdfs3/pom.xml
index d1b91600a6458..dbaca3c9d9909 100644
--- a/pulsar-io/hdfs3/pom.xml
+++ b/pulsar-io/hdfs3/pom.xml
@@ -97,5 +97,32 @@
       </plugin>
     </plugins>
   </build>
-  
+  <profiles>
+    <!--
+    The only working way for OWASP dependency checker plugin
+    to exclude module when failBuildOnCVSS is used
+    in the root pom's plugin.
+    -->
+    <profile>
+      <id>owasp-dependency-check</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${dependency-check-maven.version}</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+                <phase>none</phase>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+
 </project>
\ No newline at end of file
diff --git a/pulsar-io/pom.xml b/pulsar-io/pom.xml
index 2fec8d4591467..b0983456085de 100644
--- a/pulsar-io/pom.xml
+++ b/pulsar-io/pom.xml
@@ -88,7 +88,6 @@
         <module>data-generator</module>
       </modules>
     </profile>
-
   </profiles>
 
   <build>
diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
index a4eb11ae1f2ac..e9bca818988bf 100644
--- a/pulsar-sql/pom.xml
+++ b/pulsar-sql/pom.xml
@@ -167,4 +167,32 @@
         </plugins>
     </build>
 
+    <profiles>
+        <!--
+        The only working way for OWASP dependency checker plugin
+        to exclude module when failBuildOnCVSS is used
+        in the root pom's plugin.
+        -->
+        <profile>
+            <id>owasp-dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>${dependency-check-maven.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <phase>none</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
 </project>
diff --git a/tiered-storage/file-system/pom.xml b/tiered-storage/file-system/pom.xml
index c5da91959eba9..810d15dbc1fbf 100644
--- a/tiered-storage/file-system/pom.xml
+++ b/tiered-storage/file-system/pom.xml
@@ -179,4 +179,31 @@
             </plugin>
         </plugins>
     </build>
+    <profiles>
+        <!--
+        The only working way for OWASP dependency checker plugin
+        to exclude module when failBuildOnCVSS is used
+        in the root pom's plugin.
+        -->
+        <profile>
+            <id>owasp-dependency-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>${dependency-check-maven.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <phase>none</phase>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>