diff --git a/modules/hooks.nix b/modules/hooks.nix
index 3aba636a..45c91aa4 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3496,6 +3496,23 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.ormol
           package = tools.pre-commit-hooks;
           entry = "${hooks.trim-trailing-whitespace.package}/bin/trailing-whitespace-fixer";
         };
+      trufflehog =
+        {
+          name = "trufflehog";
+          description = "Secrets scanner";
+          entry =
+            let
+              script = pkgs.writeShellScript "precommit-trufflehog" ''
+                set -e
+                ${hooks.trufflehog.package}/bin/trufflehog --no-update git "file://$(git rev-parse --show-top-level)" --since-commit HEAD --only-verified --fail
+              '';
+            in
+            builtins.toString script;
+          package = pkgs.trufflehog;
+
+          # trufflehog expects to run across the whole repo, not particular files
+          pass_filenames = false;
+        };
       typos =
         {
           name = "typos";