diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
new file mode 100644
index 000000000..98a6509d4
--- /dev/null
+++ b/.github/workflows/trufflehog.yml
@@ -0,0 +1,17 @@
+name: Trufflehog Secret Scan
+
+on:
+  pull_request:
+    paths:
+      - '**/*'
+  push:
+    branches:
+      - main
+    paths:
+      - '**/*'
+
+jobs:
+  trufflehog:
+    uses: grafana/shared-workflows/.github/workflows/reusable-trufflehog.yml@pr/trufflehog-scan
+    with:
+      fail-on-secrets: "true"
\ No newline at end of file
diff --git a/scripts/test-secret.txt b/scripts/test-secret.txt
new file mode 100644
index 000000000..3375ce3d1
--- /dev/null
+++ b/scripts/test-secret.txt
@@ -0,0 +1 @@
+aws_secret_access_key = "AKIA1234567890FAKEKEY"
\ No newline at end of file