diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
index 5bcf06d6c..ec3365cac 100644
--- a/.github/workflows/osv-scanner-scheduled.yml
+++ b/.github/workflows/osv-scanner-scheduled.yml
@@ -14,3 +14,19 @@ permissions:
 jobs:
   scan-scheduled:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3"
+    with:
+      # Scan only the published modules. examples/ pins old dependency versions and
+      # is excluded for now to keep the scan green. Add it back once examples are
+      # bumped to the same versions as the production modules.
+      scan-args: |-
+        -r
+        buildSrc
+        conductor-client
+        conductor-client-metrics
+        conductor-client-spring
+        conductor-client-spring-boot4
+        harness
+        java-sdk
+        orkes-client
+        orkes-spring
+        tests
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index def5bb9da..978d5eaae 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -18,3 +18,19 @@ concurrency:
 jobs:
   scan-pr:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.3"
+    with:
+      # Scan only the published modules. examples/ pins old dependency versions and
+      # is excluded for now to keep the scan green. Add it back once examples are
+      # bumped to the same versions as the production modules.
+      scan-args: |-
+        -r
+        buildSrc
+        conductor-client
+        conductor-client-metrics
+        conductor-client-spring
+        conductor-client-spring-boot4
+        harness
+        java-sdk
+        orkes-client
+        orkes-spring
+        tests