diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml
new file mode 100644
index 00000000..1a7a8a42
--- /dev/null
+++ b/.github/workflows/secrets.yml
@@ -0,0 +1,39 @@
+name: Secrets
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Trufflehog exclusions
+        run: |
+            if [ ! -f .trufflehog-exclude.txt ]; then
+              echo "# Paths to exclude from TruffleHog scanning" > .trufflehog-exclude.txt
+              echo "node_modules/" >> .trufflehog-exclude.txt
+              echo "vendor/" >> .trufflehog-exclude.txt
+              echo "dist/" >> .trufflehog-exclude.txt
+              echo "build/" >> .trufflehog-exclude.txt
+            fi
+
+      - name: Run Trufflehog on latest commits
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+        with:
+          path: ./
+          extra_args: --results=verified,unknown --exclude-paths .trufflehog-exclude.txt
+
+      - name: Trufflehog Scan Failure
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1
\ No newline at end of file