diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml
new file mode 100644
index 0000000..27a470f
--- /dev/null
+++ b/.github/workflows/gitleaks.yaml
@@ -0,0 +1,35 @@
+name: gitleaks
+on:
+  push:
+    branches: [main]
+  pull_request:
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+      checks: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Set scan range
+        id: range
+        run: |
+          NULL_SHA="0000000000000000000000000000000000000000"
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "log_opts=${{ github.event.pull_request.base.sha }}..HEAD" >> $GITHUB_OUTPUT
+          elif [ "${{ github.event.before }}" = "$NULL_SHA" ] || [ -z "${{ github.event.before }}" ] || [ "${{ github.event.forced }}" = "true" ]; then
+            echo "log_opts=" >> $GITHUB_OUTPUT
+          else
+            echo "log_opts=${{ github.event.before }}..HEAD" >> $GITHUB_OUTPUT
+          fi
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_LOG_OPTS: ${{ steps.range.outputs.log_opts }}