diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..b7d8994
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/grafana/security-github-actions
+    rev: main
+    hooks:
+      - id: trufflehog
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
new file mode 100644
index 0000000..49e0a59
--- /dev/null
+++ b/.pre-commit-hooks.yaml
@@ -0,0 +1,8 @@
+- id: trufflehog
+  name: TruffleHog
+  language: script
+  entry: pre-commit/trufflehog.sh
+  stages:
+    - pre-commit
+    - pre-push
+  types: [text]
diff --git a/pre-commit/trufflehog.sh b/pre-commit/trufflehog.sh
new file mode 100755
index 0000000..eff4028
--- /dev/null
+++ b/pre-commit/trufflehog.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# vim: ai:ts=8:sw=8:noet
+set -euo pipefail
+
+# renovate: datasource=docker depName=trufflesecurity/trufflehog
+TRUFFLEHOG_DEFAULT_VERSION="3.88.29@sha256:6375b4dd7d045656bf78f52ac5a6e992eff344da9def96f0953cda26f791ffb7"
+TRUFFLEHOG_VERSION="${TRUFFLEHOG_VERSION:-${TRUFFLEHOG_DEFAULT_VERSION}}"
+
+docker \
+    run \
+    --volume "$(pwd):/workdir" \
+    --interactive \
+    --rm \
+    "trufflesecurity/trufflehog:$TRUFFLEHOG_VERSION" \
+    git \
+    file:///workdir \
+    --since-commit HEAD \
+    --results=verified,unknown \
+    --log-level=-1 \
+    --fail