diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 000000000..e155b52e3
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,11 @@
+title = "Braintrust SDK gitleaks config"
+
+[extend]
+# Use the default gitleaks ruleset as the base
+useDefault = true
+
+[[rules]]
+id = "braintrust-api-key"
+description = "Braintrust API key"
+regex = '''\bsk-[a-zA-Z0-9]{40,}\b'''
+tags = ["key", "braintrust"]
diff --git a/.husky/pre-commit b/.husky/pre-commit
index 5ee7abd87..92a3d33ff 100644
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1 +1,8 @@
+# Check for secrets in staged files before committing
+if command -v gitleaks &> /dev/null; then
+  gitleaks protect --staged --redact --no-banner
+else
+  echo "WARNING: gitleaks not installed — skipping secret scan. Install via: brew install gitleaks"
+fi
+
 pnpm exec lint-staged