diff --git a/README.md b/README.md
index 8abb7b6d..2cbb5990 100644
--- a/README.md
+++ b/README.md
@@ -387,6 +387,7 @@ hooks](modules/pre-commit.nix).
 - [commitizen](https://github.com/commitizen-tools/commitizen)
 - [convco](https://github.com/convco/convco)
 - [forbid-new-submodules](https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/forbid_new_submodules.py)
+- [gitleaks](https://github.com/gitleaks/gitleaks)
 - [gitlint](https://github.com/jorisroovers/gitlint)
 - [gptcommit](https://github.com/zurawiki/gptcommit)
 - [no-commit-to-branch](https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/no_commit_to_branch.py)
diff --git a/modules/hooks.nix b/modules/hooks.nix
index 80801675..1d85b7eb 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3041,6 +3041,14 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
         package = tools.fprettify;
         entry = "${hooks.fprettify.package}/bin/fprettify";
       };
+      gitleaks = {
+        name = "gitleaks";
+        description = "Detect hardcoded secrets using Gitleaks";
+        entry = lib.getExe hooks.gitleaks.package;
+        package = tools.gitleaks;
+        args = [ "git" "--pre-commit" "--redact" "--staged" "--verbose" ];
+        pass_filenames = false;
+      };
       gitlint = {
         name = "gitlint";
         description = "Linting for your git commit messages";
diff --git a/nix/tools.nix b/nix/tools.nix
index 5c0fb1f1..9278b7d7 100644
--- a/nix/tools.nix
+++ b/nix/tools.nix
@@ -34,6 +34,7 @@
 , flake-checker ? placeholder "flake-checker"
 , fprettify
 , git-annex
+, gitleaks
 , gitlint
 , gptcommit ? placeholder "gptcommit"
 , hadolint
@@ -146,6 +147,7 @@ in
     flake-checker
     fprettify
     git-annex
+    gitleaks
     gitlint
     go
     go-tools