diff --git a/.github/scripts/deny-git-deps.py b/.github/scripts/deny-git-deps.py
new file mode 100644
index 0000000000000000000000000000000000000000..4b831c9347f75bdc3c74c80d3af652c37e7ae459
--- /dev/null
+++ b/.github/scripts/deny-git-deps.py
@@ -0,0 +1,40 @@
+"""
+Script to deny Git dependencies in the Cargo workspace. Can be passed one optional argument for the
+root folder. If not provided, it will use the cwd.
+
+## Usage
+	python3 .github/scripts/deny-git-deps.py polkadot-sdk
+"""
+
+import os
+import sys
+
+from cargo_workspace import Workspace, DependencyLocation
+
+KNOWN_BAD_GIT_DEPS = {
+	'simple-mermaid': ['xcm-docs'],
+	# Fix in <https://github.com/paritytech/polkadot-sdk/issues/2922>
+	'bandersnatch_vrfs': ['sp-core'],
+}
+
+root = sys.argv[1] if len(sys.argv) > 1 else os.getcwd()
+workspace = Workspace.from_path(root)
+
+def check_dep(dep, used_by):
+	if dep.location != DependencyLocation.GIT:
+		return
+	
+	if used_by in KNOWN_BAD_GIT_DEPS.get(dep.name, []):
+		print(f'ðŸ¤¨ Ignoring git dependency {dep.name} in {used_by}')
+	else:
+		print(f'ðŸš« Found git dependency {dep.name} in {used_by}')
+		sys.exit(1)	
+
+# Check the workspace dependencies that can be inherited:
+for dep in workspace.dependencies:
+	check_dep(dep, "workspace")
+
+# And the dependencies of each crate:
+for crate in workspace.crates:
+	for dep in crate.dependencies:
+		check_dep(dep, crate.name)
diff --git a/.github/workflows/checks-quick.yml b/.github/workflows/checks-quick.yml
index 3888928311a2129a1fe6d0836956d2a4ce066583..cd9baf0d1bc24bf866e89f9ce542b24e49086486 100644
--- a/.github/workflows/checks-quick.yml
+++ b/.github/workflows/checks-quick.yml
@@ -87,13 +87,15 @@ jobs:
       - name: install python deps
         run: |
           sudo apt-get update && sudo apt-get install -y python3-pip python3
-          pip3 install toml
+          pip3 install toml "cargo-workspace>=1.2.6"
       - name: check integrity
         run: >
           python3 .github/scripts/check-workspace.py .
           --exclude
           "substrate/frame/contracts/fixtures/build"
           "substrate/frame/contracts/fixtures/contracts/common"
+      - name: deny git deps
+        run: python3 .github/scripts/deny-git-deps.py .
   check-markdown:
     runs-on: ubuntu-latest
     timeout-minutes: 10