diff --git a/.github/workflows/config/whispers-config.yml b/.github/workflows/config/whispers-config.yml
new file mode 100644
index 0000000..2e30a98
--- /dev/null
+++ b/.github/workflows/config/whispers-config.yml
@@ -0,0 +1,20 @@
+include:
+  files:
+    - "**/*"
+
+exclude:
+  files:
+    - __pycache__|\.eggs|build|dev|\.vscode|\.git|\.github
+    - .*/(locale|spec|test|mock)s?/
+    - integration|node_modules
+    - (package(-lock)?|npm-shrinkwrap)\.json
+
+  keys:
+    - .*(public|project).*
+
+  values:
+    - ^(true|false|yes|no|1|0)$
+    - .*_(user|password|token|key|placeholder|name)$
+    - ^aws_(access_key_id|secret_access_key|session_token)$
+    - ^arn:aws:.*
+    - ^((cn?trl|alt|shift|del|ins|esc|tab|f[\d]+) ?[\+_\-\\/] ?)+[\w]+$
\ No newline at end of file
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
new file mode 100644
index 0000000..cdea767
--- /dev/null
+++ b/.github/workflows/secrets-scan.yml
@@ -0,0 +1,32 @@
+name: secrets
+
+on: [push, pull_request]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: scan
+      run: |
+        export DEBIAN_FRONTEND=noninteractive && \
+        echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
+        sudo apt-get update && \
+        python3 -m pip install --upgrade pip && \
+        pip3 install whispers && \
+        mkdir /home/runner/reports/ && \
+        whispers --severity BLOCKER,CRITICAL -o /home/runner/reports/whispers.json -c ${GITHUB_WORKSPACE}/.github/workflows/config/whispers-config.yml ${GITHUB_WORKSPACE} && \
+        echo "::set-output name=found-count::$(wc -l /home/runner/reports/whispers.json | cut -d' ' -f1)"
+    - name: Fail if found
+      if: steps.scan.outputs.found-count != 0
+      uses: actions/github-script@v5
+      with:
+        script: |
+            echo {{steps.scan.outputs.found-count}} && \
+            core.setFailed('Secrets found. Please check the uploaded report')
+    - name: Upload scan reports
+      uses: actions/upload-artifact@v2.3.1
+      if: failure()
+      with:
+        name: whispers-report
+        path: /home/runner/reports/whispers.json
\ No newline at end of file