diff --git a/.gitignore b/.gitignore
index 78b2db38..d9a9b2e9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,7 @@ __pycache__
 /.vscode
 /.idea
 /.gdb_history
+
+cov-analysis-linux64/
+cov-analysis-osbuild.xz
+cov-int/
diff --git a/Makefile b/Makefile
index 2bd0b3ae..6391246d 100644
--- a/Makefile
+++ b/Makefile
@@ -17,8 +17,11 @@
 BUILDDIR ?= .
 SRCDIR ?= .
 
+MKDIR ?= mkdir
 PYTHON3 ?= python3
 RST2MAN ?= rst2man
+TAR ?= tar
+WGET ?= wget
 
 SHELL = /bin/bash
 
@@ -67,6 +70,10 @@ COMMIT = $(shell (cd "$(SRCDIR)" && git rev-parse HEAD))
 #         files. Lastly, you mostly want this as order-only dependency, since
 #         timestamps on directories do not affect their content.
 #
+#     FORCE
+#         Dummy target to force .PHONY behavior. This is required if .PHONY is
+#         not an option (e.g., due to implicit targets).
+#
 
 .PHONY: help
 help:
@@ -78,11 +85,17 @@ help:
 	@echo "    help:               Print this usage information."
 	@echo "    man:                Generate all man-pages"
 	@echo
+	@echo "    coverity-download:  Force a new download of the coverity tool"
+	@echo "    coverity-check:     Run the coverity test suite"
+	@echo "    coverity-submit:    Run coverity and submit the results"
+	@echo
 	@echo "    test-all:           Run all tests"
 	@echo "    test-data:          Generate test data"
 	@echo "    test-module:        Run all module unit-tests"
 	@echo "    test-runtime:       Run all osbuild pipeline tests"
 	@echo "    test-src:           Run all osbuild source tests"
+	@echo
+	@echo "    test-coverity:      Run coverity and upload the result"
 
 $(BUILDDIR)/:
 	mkdir -p "$@"
@@ -90,6 +103,8 @@ $(BUILDDIR)/:
 $(BUILDDIR)/%/:
 	mkdir -p "$@"
 
+FORCE:
+
 #
 # Documentation
 #
@@ -108,6 +123,79 @@ $(MANPAGES_TROFF): $(BUILDDIR)/docs/%: $(SRCDIR)/docs/%.rst | $(BUILDDIR)/docs/
 .PHONY: man
 man: $(MANPAGES_TROFF)
 
+#
+# Coverity
+#
+# Download the coverity analysis tool and run it on the repository, archive the
+# analysis result and upload it to coverity. The target to do all of that is
+# `coverity-submit`.
+#
+# Individual targets exist for the respective steps.
+#
+# Needs COVERITY_TOKEN and COVERITY_EMAIL to be set for downloading
+# the analysis tool and submitting the final results.
+#
+
+COVERITY_URL = https://scan.coverity.com/download/linux64
+COVERITY_TARFILE = coverity-tool.tar.gz
+
+COVERITY_BUILDDIR = $(BUILDDIR)/coverity
+COVERITY_TOOLTAR = $(COVERITY_BUILDDIR)/$(COVERITY_TARFILE)
+COVERITY_TOOLDIR = $(COVERITY_BUILDDIR)/cov-analysis-linux64
+COVERITY_ANALYSIS = $(COVERITY_BUILDDIR)/cov-analysis-osbuild.xz
+
+.PHONY: coverity-token
+coverity-token:
+	$(if $(COVERITY_TOKEN),,$(error COVERITY_TOKEN must be set))
+
+.PHONY: coverity-email
+coverity-email:
+	$(if $(COVERITY_EMAIL),,$(error COVERITY_EMAIL must be set))
+
+.PHONY: coverity-download
+coverity-download: | coverity-token $(COVERITY_BUILDDIR)/
+	@$(RM) -rf "$(COVERITY_TOOLDIR)" "$(COVERITY_TOOLTAR)"
+	@echo "Downloading $(COVERITY_TARFILE) from $(COVERITY_URL)..."
+	@$(WGET) -q "$(COVERITY_URL)" --post-data "project=osbuild&token=$(COVERITY_TOKEN)" -O "$(COVERITY_TOOLTAR)"
+	@echo "Extracting $(COVERITY_TARFILE)..."
+	@$(MKDIR) -p "$(COVERITY_TOOLDIR)"
+	@$(TAR) -xzf "$(COVERITY_TOOLTAR)" --strip 1 -C "$(COVERITY_TOOLDIR)"
+
+$(COVERITY_TOOLTAR): | $(COVERITY_BUILDDIR)/
+	@$(MAKE) --no-print-directory coverity-download
+
+.PHONY: coverity-check
+coverity-check: $(COVERITY_TOOLTAR)
+	@echo "Running coverity suite..."
+	@$(COVERITY_TOOLDIR)/bin/cov-build \
+		--dir "$(COVERITY_BUILDDIR)/cov-int" \
+		--no-command \
+		--fs-capture-search "$(SRCDIR)" \
+		--fs-capture-search-exclude-regex "$(COVERITY_BUILDDIR)"
+	@echo "Compressing analysis results..."
+	@$(TAR) -caf "$(COVERITY_ANALYSIS)" -C "$(COVERITY_BUILDDIR)" "cov-int"
+
+$(COVERITY_ANALYSIS): | $(COVERITY_BUILDDIR)/
+	@$(MAKE) --no-print-directory coverity-check
+
+.PHONY: coverity-submit
+coverity-submit: $(COVERITY_ANALYSIS) | coverity-email coverity-token
+	@echo "Submitting $(COVERITY_ANALYSIS)..."
+	@curl --form "token=$(COVERITY_TOKEN)" \
+		--form "email=$(COVERITY_EMAIL)" \
+		--form "file=@$(COVERITY_ANALYSIS)" \
+		--form "version=main" \
+		--form "description=$$(git describe)" \
+		https://scan.coverity.com/builds?project=osbuild
+
+.PHONY: coverity-clean
+coverity-clean:
+	@$(RM) -rfv "$(COVERITY_BUILDDIR)/cov-int" "$(COVERITY_ANALYSIS)"
+
+.PHONY: coverity-clean-all
+coverity-clean-all: coverity-clean
+	@$(RM) -rfv "$(COVERITY_BUILDDIR)"
+
 #
 # Test Suite
 #