diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index 508b83e0c..29ee44fdd 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -72,6 +72,29 @@ jobs:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
 
+  secret-scan:
+    name: Gitleaks secret scan
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Gitleaks secret scan
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        env:
+          GITLEAKS_VERSION: 8.30.1
+          GITLEAKS_CONFIG: .gitleaks.toml
+          GITLEAKS_LICENSE: ${{ secrets.NHSAPP_GITLEAKS_LICENSE }}
+
+        with:
+          args: detect --redact --verbose
+
   sonar:
     name: SonarQube scan
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 60e7d32ea..817d98d98 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -26,6 +26,8 @@ jobs:
           poetry install --no-root
 
       - name: Lint
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.NHSAPP_GITLEAKS_LICENSE }}
         run: make lint
 
       - name: Build
diff --git a/.gitignore b/.gitignore
index 0ce0f1dc2..7b4c60903 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,16 @@ report/
 *.cer
 *.csr
 *.crt
+*.p12
+*.pfx
+
+# Other potential secret files
+.env
+.env.*
+*_rsa
+*_dsa
+*_ecdsa
+*_ed25519
 
 # .tfstate files
 *.tfstate
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 000000000..cb05ed60b
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,10 @@
+[extend]
+useDefault = true  # keep all the built-in rules
+
+[[rules]]
+id = "generic-api-key"
+description = "Generic API key or password"
+regex = '''["']?(?i)(password|passwd|api_key|access_key|apikey|secret|token)["']?\s*=\s*['"]?([A-Za-z0-9+/=_\-]{8,})['" ,]?'''
+secretGroup = 2  # measure entropy on the value, not the key name
+entropy = 1
+tags = ["generic"]
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 000000000..91595e287
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1 @@
+dc854c9afe34c2b812a20f90162e17d1425f8d3a:postman_collection.json:generic-api-key:59
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 55a0f90c2..679cf4e11 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,13 @@
 ---
 repos:
-  - repo: https://github.com/Yelp/detect-secrets
-    rev: 001e16323a2f0162336345f4ceb6d72c204980b5 # v1.4.0
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e # v8.30.1
     hooks:
-      - id: detect-secrets
-        exclude: .pre-commit-config.yaml|layer/psycopg2/.*
+      - id: gitleaks
+        name: Detect secrets using Gitleaks
+        description: Detect hardcoded secrets in your changes using Gitleaks
+        entry: gitleaks git --pre-commit --redact --staged --verbose
+        language: golang
 
   - repo: https://github.com/prettier/pre-commit
     rev: 57f39166b5a5a504d6808b87ab98d41ebf095b46