diff --git a/.github/workflows/secret_scanners.yml b/.github/workflows/secret_scanners.yml
new file mode 100644
index 0000000..9bae06f
--- /dev/null
+++ b/.github/workflows/secret_scanners.yml
@@ -0,0 +1,61 @@
+name: Secret scanners (PR diff)
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  
+concurrency:
+  group: secscan-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+      
+jobs:
+  secret-scanners:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        with:  
+          fetch-depth: 0
+
+      # 1) Blocking scan: only verified
+      - name: TruffleHog (verified only, blocking)
+        id: verified
+        uses: trufflesecurity/trufflehog@main  
+        with:
+          extra_args: --only-verified  
+
+      # 2) Non-blocking scan: annotate unverified/unknown
+      - name: TruffleHog (unverified/unknown, annotate only)
+        id: unverified
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true                
+        with:
+          extra_args: --results=unverified,unknown 
+
+      - name: gitleaks
+        id: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        continue-on-error: true  
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} 
+
+      # Notify Slack if either scan found anything
+      - name: Notify Slack on secret findings
+        if: ${{ always() && (steps.verified.outcome == 'failure' || steps.unverified.outcome == 'failure' || steps.gitleaks.outcome == 'failure') }}
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          webhook: ${{ secrets.LEAKED_SECRET_SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            {
+              "text": "*Secret findings* on PR <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}> in `${{ github.repository }}`",
+              "blocks": [
+                {"type":"section","text":{"type":"mrkdwn","text":"*Secret findings* on PR <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}> in `${{ github.repository }}`"}},
+                {"type":"context","elements":[{"type":"mrkdwn","text":"Actor: `${{ github.actor }}`"}]}
+              ]
+            }