diff --git a/.github/workflows/secret-scan.yaml b/.github/workflows/secret-scan.yaml
new file mode 100644
index 00000000..796bfdf6
--- /dev/null
+++ b/.github/workflows/secret-scan.yaml
@@ -0,0 +1,20 @@
+name: secret-scan
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 13 * * *" # run once a day at 13:00 UTC
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_NOTIFY_USER_LIST:  ${{ vars.GITLEAKS_NOTIFY_USER_LIST }}
\ No newline at end of file
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 00000000..be943e2c
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,14 @@
+f0b67e93831d16b7f6618632ad44d718c8318b87:sftp/testdata/ssh/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/client.key.pem:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/ssh/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:kafkaclient/testdata/truststore/ca-key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/kafka/testdata/truststore/ca-key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/sshserver/testdata/test_key:private-key:1
+00cba9dbb04b6ff9807dcf6a3d2a35acf8137b49:testhelper/docker/resource/kafka/testdata/ssh/test_key:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/client.key.pem:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/ssh/test_key:private-key:1
+fd02c1d3a32acfada23245a824d9238c9b5f9529:broker/kafka/testdata/truststore/ca-key:private-key:1
+1dfc4115034e1b34fc9c1fa9d42ed61453092a89:testhelper/docker/resource/kafka/testdata/ssh/test_key:private-key:1
+98130e63de7c036b800977e694f8d2d7561f41d6:testhelper/docker/resource/kafka/testdata/truststore/ca-key:private-key:1
+2820fe4afd587f69d9d43b4e2724998e063b8c82:testhelper/docker/resource/sshserver/testdata/test_key:private-key:1
+c7b2e4ae3cde679f36228101162a8a63ac91e576:test_git_leaks_ci.txt:generic-api-key:1
diff --git a/Makefile b/Makefile
index 640c52e7..c431f13d 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ mockgen=go.uber.org/mock/mockgen@v0.4.0
 gotestsum=gotest.tools/gotestsum@v1.11.0
 protoc-gen-go=google.golang.org/protobuf/cmd/protoc-gen-go@v1.33.0
 protoc-gen-go-grpc=google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
+gitleaks=github.com/zricethezav/gitleaks/v8@v8.18.4
 
 default: lint
 
@@ -72,6 +73,12 @@ install-tools:
 .PHONY: lint
 lint: fmt ## Run linters on all go files
 	$(GO) run $(GOLANGCI) run -v
+	@$(MAKE) sec
+
+.PHONY: sec
+sec: ## Run security checks
+	$(GO) run $(gitleaks) detect .
+	$(GO) run $(govulncheck) ./...
 
 .PHONY: fmt
 fmt: install-tools ## Formats all go files