diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
index 7b6c13a..db3bdc5 100644
--- a/.github/workflows/secret-scanning.yml
+++ b/.github/workflows/secret-scanning.yml
@@ -5,6 +5,9 @@ on:
     branches: [main, develop]
   pull_request:
     branches: [main, develop]
+  schedule:
+    # Weekly scan every Monday at 03:00 UTC
+    - cron: '0 3 * * 1'
 
 jobs:
   gitleaks:
@@ -14,6 +17,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      # Pinned to v2 (latest stable); bump to v2.x.x once a specific patch is validated
       - uses: gitleaks/gitleaks-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_ENABLE_COMMENTS: true
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
new file mode 100644
index 0000000..ca33a26
--- /dev/null
+++ b/.github/workflows/trufflehog.yml
@@ -0,0 +1,21 @@
+name: TruffleHog Secret Scanning
+
+on:
+  pull_request:
+    branches: [main, develop]
+
+jobs:
+  trufflehog:
+    name: Detect secrets (trufflehog)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3
+        with:
+          # Scan only the diff introduced by this PR
+          base: ${{ github.event.pull_request.base.sha }}
+          head: ${{ github.event.pull_request.head.sha }}
+          extra_args: --only-verified
diff --git a/.gitleaks.toml b/.gitleaks.toml
index 9d742ef..739a480 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -2,4 +2,23 @@
   description = "Allowlist for known safe placeholder values"
   paths = [
     "apps/web/.env.example",
+    "apps/web/.env.staging.example",
+    ".env.staging.example",
+    "README.md",
+    "docs/",
   ]
+  regexes = [
+    # Generic placeholders
+    '''(?i)placeholder''',
+    # Stellar testnet public keys (start with SAAAA or GAAA — well-known test keys)
+    '''SAAAA[A-Z2-7]{55}''',
+    # Quoted example values
+    '''(your[-_]?|example[-_]?|dummy[-_]?|fake[-_]?|test[-_]?)(key|secret|token|password)''',
+  ]
+
+# Reduce false positives for Stellar-style keys in test/example files
+[[rules]]
+  id = "stellar-test-key-allowlist"
+  description = "Ignore Stellar testnet seed keys used as examples"
+  regex = '''S[A-Z2-7]{55}'''
+  allowlist.regexes = ['''SAAAA[A-Z2-7]{51}''']