diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml
new file mode 100644
index 0000000..1d466df
--- /dev/null
+++ b/.github/workflows/check-leaks.yml
@@ -0,0 +1,22 @@
+name: "Trufflehog: check for exposed secrets"
+
+on:
+  pull_request:
+  push:
+    paths:
+      - "**.nix"
+      - ".github/workflows/check-leaks.yml"
+
+jobs:
+  deadnix:
+    name: Run trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
+      - name: TruffleHog scan
+        uses: trufflesecurity/trufflehog@v3.88