diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ba9c41f..dbd61ed 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -16,6 +16,20 @@ permissions:
   id-token: write
 
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
+
+      - name: Run Gitleaks
+        run: nix develop --command gitleaks detect --source . --config .gitleaks.toml
+
   typos:
     runs-on: ubuntu-latest
     steps:
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..3e4bd33
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,11 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''pnpm-lock\.yaml$''',
+]
diff --git a/flake.nix b/flake.nix
index e953f20..d0c4a00 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,9 @@
               nixfmt-rfc-style
               typos
               typos-lsp
+
+              # security
+              gitleaks
             ];
 
             shellHook = ''
diff --git a/lefthook.yaml b/lefthook.yaml
index 21bf81b..67aa5e8 100644
--- a/lefthook.yaml
+++ b/lefthook.yaml
@@ -1,6 +1,8 @@
 pre-commit:
   piped: true
   jobs:
+    - name: gitleaks
+      run: gitleaks protect --staged --config .gitleaks.toml
     - name: oxlint
       glob: '*.{ts,tsx,js,jsx,mts,cts}'
       run: pnpm oxlint --max-warnings=0 --type-aware --type-check --fix {staged_files}