diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
new file mode 100644
index 0000000..cab663c
--- /dev/null
+++ b/.github/workflows/secret-scanning.yml
@@ -0,0 +1,23 @@
+name: "Secret Scanning"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  secret-scan:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@v3.88.0
diff --git a/SECURITY.md b/SECURITY.md
index 6ffc2c1..71fc0d8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -78,6 +78,10 @@ We follow responsible disclosure practices:
 5. **Release** → We deploy the fix and notify affected users
 6. **Disclosure** → We publicly disclose the issue after users have had time to update
 
+## 🔍 Automated Secret Scanning
+
+All pushes to `main` and pull requests are automatically scanned for sensitive data using [TruffleHog](https://github.com/trufflesecurity/trufflehog). This ensures that secrets such as API keys, tokens, passwords, and private keys are never committed to the repository.
+
 ## 📋 Security Checklist for Contributors
 
 If you're contributing to Addocu, please ensure: