diff --git a/.gitignore b/.gitignore
index bca53cb27..d0562ec4f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ coverage
 .dccache
 .idea
 .pgdata
+.cache_ggshield
diff --git a/README.md b/README.md
index 4d15b141b..5f9a46d69 100644
--- a/README.md
+++ b/README.md
@@ -80,6 +80,13 @@ Because redirects are served directly from the backend, shortlinks can be access
 but that is really being proxied to `localhost:8080/shortlink`. One-time passwords for all log-in attempts on localhost
 are obtained using [maildev](https://github.com/maildev/maildev) and accessed via `http://localhost:1080/`.
 
+### Setting up secrets detection (optional)
+
+For more safety, you may enable secrets detection on pre-commit using GitGuardian.
+
+To set it up, install `ggshield` locally following the [official installation guide](https://github.com/GitGuardian/ggshield#installation).
+Create a personal GitGuardian account, generate an access token key with scanning permissions, then set `GITGUARDIAN_API_KEY` to this key inside a `.env` file in the root folder.
+
 ### Setting up the infrastructure
 
 Much of this step will involve setting up key infrastructure components since we do not have docker-compose
diff --git a/secrets-check.sh b/secrets-check.sh
index 6799d6e41..ef65b6cee 100644
--- a/secrets-check.sh
+++ b/secrets-check.sh
@@ -16,5 +16,27 @@ if [ "$KEY_ID" != "" -a "$KEY_ID" != "," -a "$KEY" != "" ]; then
     exit 1
 fi
 
+gitguardian_secrets_check() {
+  if !(command -v ggshield &> /dev/null); then
+    echo "Skipping GitGuardian check for secrets as ggshield is not installed."
+    return 0
+  fi
+
+  [ -e .env ] && export $(cat .env | xargs)
+  if [ -z "${GITGUARDIAN_API_KEY}" ]; then
+    echo "Skipping GitGuardian check for secrets as GitGuardian API key is not configured."
+    return 0
+  fi
+
+  ggshield secret scan pre-commit
+}
+
+# Check changed files for secrets using GitGuardian
+gitguardian_secrets_check
+exit_status=$?
+if [ $exit_status -ne 0 ]; then
+  exit $exit_status
+fi
+
 # Normal exit
 exit 0