diff --git a/.github/workflows/gitleaks-pr-scan.yml b/.github/workflows/gitleaks-pr-scan.yml
new file mode 100644
index 00000000..232ddfa2
--- /dev/null
+++ b/.github/workflows/gitleaks-pr-scan.yml
@@ -0,0 +1,30 @@
+---
+name: 🔐 Gitleaks PR Scan
+
+on:
+  workflow_call:
+    inputs:
+      checkout_ref:
+        description: 'Ref to checkout before scanning (optional).'
+        required: false
+        type: string
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: 🔍 Gitleaks scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: 📦 Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.checkout_ref != '' && inputs.checkout_ref || github.ref }}
+
+      - name: 🔐 Run gitleaks on PR changes
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+...
diff --git a/README.md b/README.md
index 56c58543..0d7e9d04 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,7 @@ Above example is just a simple example to call workflow from github shared workf
 28. [Terraform Workflow](./docs/28.terraform_workflow.md)
 29. [Terraform Module Tag Release Workflow (Shared)](./docs/29.tf-monorepo-tag-release.md)
 30. [Terraform PR Plan Diff workflow](./docs/30.tf-pr-checks.md)
+31. [Gitleaks PR Scan Workflow](./docs/31.gitleaks-pr-scan.md)
 
 ## Feedback 
 If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/github-shared-workflows/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com).
diff --git a/docs/31.gitleaks-pr-scan.md b/docs/31.gitleaks-pr-scan.md
new file mode 100644
index 00000000..b4e63159
--- /dev/null
+++ b/docs/31.gitleaks-pr-scan.md
@@ -0,0 +1,29 @@
+## [Gitleaks PR Scan Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/gitleaks-pr-scan.yml)
+
+This reusable workflow runs Gitleaks to detect hardcoded secrets in pull requests. It is designed to be called from organization/module repositories via `workflow_call`.
+
+#### Usage
+Use this workflow when you want a centralized and consistent secret-scanning gate managed from `clouddrove/github-shared-workflows`.
+
+### Highlights
+- ✅ Reusable `workflow_call` implementation
+- 🔐 Detects leaked credentials/secrets in PR code changes
+- 🧩 Can be consumed by `.github` policy repos and module repos
+- 🛡️ Uses `GITHUB_TOKEN` from caller context (`secrets: inherit`)
+
+#### Example
+```yaml
+name: Gitleaks PR Secret Scan
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    uses: clouddrove/github-shared-workflows/.github/workflows/gitleaks-pr-scan.yml@master
+    secrets: inherit
+```