diff --git a/.github/workflows/leaked-secrets-scan.yml b/.github/workflows/leaked-secrets-scan.yml
new file mode 100644
index 0000000..1f3d67d
--- /dev/null
+++ b/.github/workflows/leaked-secrets-scan.yml
@@ -0,0 +1,21 @@
+name: Leaked Secrets Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..ddfb5f5
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,2 @@
+# Gitleaks configuration
+# Add path or regex allowlists here if false positives arise
diff --git a/lefthook.yml b/lefthook.yml
new file mode 100644
index 0000000..f68879a
--- /dev/null
+++ b/lefthook.yml
@@ -0,0 +1,7 @@
+# Lefthook Git Hooks Configuration
+# Documentation: https://github.com/evilmartians/lefthook/blob/master/docs/configuration.md
+
+pre-push:
+  commands:
+    gitleaks:
+      run: gitleaks protect --staged --redact
diff --git a/package.json b/package.json
index 0123fe7..8509f08 100644
--- a/package.json
+++ b/package.json
@@ -23,6 +23,7 @@
     "lint:tsc": "pnpm tsc --noEmit",
     "rollup": "rollup --config rollup.config.mjs",
     "storybook": "storybook dev -p 6006 --disable-telemetry",
+    "prepare": "lefthook install",
     "storybook:build": "storybook build -o storybook-static",
     "storybook:publish": "gh-pages -b storybook/publish -d storybook-static"
   },
@@ -81,6 +82,7 @@
     "eslint-plugin-react-hooks": "^5.1.0",
     "file-loader": "^6.2.0",
     "gh-pages": "^6.2.0",
+    "lefthook": "^1.11.0",
     "react-dom": "^18.3.1",
     "react-router-dom": "^7.12.0",
     "rollup": "^4.27.3",