diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 17cec05..5d7b69e 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -37,8 +37,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install ruff
-        run: python3 -m pip install ruff
+      - name: Install pip and ruff
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install ruff
 
       - name: Check syntax errors
         run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
@@ -52,8 +54,27 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install pip-audit
-        run: python3 -m pip install pip-audit
+      - name: Install pip and pip-audit
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install pip-audit
 
       - name: Audit matrixbot dependencies
         run: python3 -m pip_audit -r matrixbot/requirements.txt
+
+  secret-scan:
+    name: Secret scan (gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
+            | tar -xz gitleaks
+          mv gitleaks /usr/local/bin/gitleaks
+
+      - name: Scan for secrets
+        run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..f9e9707
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,6 @@
+[extend]
+useDefault = true
+
+[[allowlists]]
+description = "Webhook HMAC secrets in hook config files are intentional"
+paths = ['''deploy/hooks-lxc\d+\.json''']