diff --git a/.github/workflows/coder.yaml b/.github/workflows/coder.yaml
index 56fac61ca018d..c20411005d6c5 100644
--- a/.github/workflows/coder.yaml
+++ b/.github/workflows/coder.yaml
@@ -102,6 +102,15 @@ jobs:
         with:
           version: v1.46.0
 
+  check-enterprise-imports:
+    name: check/enterprise-imports
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check imports of enterprise code
+        run: ./scripts/check_enterprise_imports.sh
+
   style-lint-shellcheck:
     name: style/lint/shellcheck
     timeout-minutes: 5
diff --git a/Makefile b/Makefile
index 08df31dfceea1..44eda9560992f 100644
--- a/Makefile
+++ b/Makefile
@@ -116,6 +116,7 @@ lint: lint/shellcheck lint/go
 .PHONY: lint
 
 lint/go:
+	./scripts/check_enterprise_imports.sh
 	golangci-lint run
 .PHONY: lint/go
 
diff --git a/scripts/check_enterprise_imports.sh b/scripts/check_enterprise_imports.sh
new file mode 100755
index 0000000000000..d89eeed1c0f4d
--- /dev/null
+++ b/scripts/check_enterprise_imports.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# This file checks all our AGPL licensed source files to be sure they don't
+# import any enterprise licensed packages (the inverse is fine).
+
+set -euo pipefail
+# shellcheck source=scripts/lib.sh
+source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
+cdroot
+
+set +e
+find . -regex ".*\.go" | grep -v "./enterprise" | xargs grep -n "github.com/coder/coder/enterprise"
+# reverse the exit code because we want this script to fail if grep finds anything.
+status=$?
+set -e
+if [ $status -eq 0 ]; then
+	error "AGPL code cannot import enterprise!"
+fi
+log "AGPL imports OK"