diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 2b724b5..3b230e3 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -16,8 +16,19 @@ jobs:
       - run: ruff check src/ tests/
       - run: PYTHONPATH=src pytest tests/ -v
 
+  secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - run: |
+          curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz \
+            | tar xz -C /usr/local/bin gitleaks
+      - run: gitleaks detect --source . -v
+
   build:
-    needs: test
+    needs: [test, secrets]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/docs/CHEATSHEET.md b/docs/CHEATSHEET.md
index 1207c23..14354e2 100644
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -37,8 +37,9 @@ Dev override: compose.yaml mounts `./src` (ro) over the baked-in source.
 
 Gitea Actions runs on push to `main`:
 
-1. `ruff check` + `pytest` in `python:3.13-slim`
-2. Build + push `harbor.mymx.me/s5p/s5p:latest`
+1. `ruff check` + `pytest` (test)
+2. `gitleaks detect` (secrets scan)
+3. Build + push `harbor.mymx.me/s5p/s5p:latest`
 
 Secrets: `HARBOR_USER` / `HARBOR_PASS` (configured in Gitea repo settings).