diff --git a/.secretsignore b/.secretsignore
new file mode 100644
index 0000000000000000000000000000000000000000..071423bd3c1abd0359084161a951f954bc338d92
--- /dev/null
+++ b/.secretsignore
@@ -0,0 +1,66 @@
+# This file is for defining paths and secrets that will be ignored by ripsecret
+
+doc/*
+spec/*
+ee/spec/*
+qa/*
+*_spec.rb
+config/gitlab.yml.example
+workhorse/testdata/localhost.key
+db/fixtures/**/*.rb
+
+[secrets]
+AUTO_DEVOPS_DOMAIN
+BACKWARD_DIRECTION
+CI_BUILD_BEFORE_SHA
+CI_BUILD_REF_NAME
+CI_BUILD_REF_SLUG
+CI_COMMIT_BRANCH
+CI_COMMIT_REF_SLUG
+CI_DEFAULT_BRANCH
+CI_DEPLOY_FREEZE
+CI_DEPLOY_PASSWORD
+CI_ENVIRONMENT_SLUG
+CI_ENVIRONMENT_URL
+CI_GITLAB_FIPS_MODE
+CI_JOB_NAME_SLUG
+CI_JOB_STARTED_AT
+CI_PAGES_DOMAIN
+CI_PROJECT_NAME
+CI_PROJECT_PATH
+CI_PROJECT_PATH_SLUG
+CI_PROJECT_VISIBILITY
+CI_REGISTRY_IMAGE
+CI_REGISTRY_PASSWORD
+CI_REPOSITORY_URL
+CROWDIN_API_KEY
+DAST_API_PROFILE
+DAST_PASSWORD_BASE64
+DAST_SUBMIT_FIELD
+DAST_USERNAME_FIELD
+DORA_METRICS_KEYS
+ESCALATION_STATUS
+FIFTY_PACKAGE_FILES
+FORTY_PACKAGE_FILES
+FORWARD_DIRECTION
+GITLAB_FEATURES
+GITLAB_USER_EMAIL
+GITLAB_USER_LOGIN
+GITLAB_USER_NAME
+HARBOR_PASSWORD
+HARBOR_USERNAME
+KUBE_CA_PEM_FILE
+KUBE_SERVICE_ACCOUNT
+NAVSOURCE_VALUE
+ONE_HUNDRED_TAGS
+ONE_PACKAGE_FILE
+STAGING_ENABLED
+TEN_PACKAGE_FILES
+THIRTY_PACKAGE_FILES
+TRIGGER_PAYLOAD
+TWENTY_FIVE_TAGS
+TWENTY_PACKAGE_FILES
+YOUR-ACCESSKEYID
+YOUR-CLIENT-SECRET
+YOUR_AUTH0_CLIENT_SECRET
+sbdMsxcgW2Xs75Q2uHc9FhUCZSEV3fSg
diff --git a/lefthook.yml b/lefthook.yml
index a2819358bdfe506117df2fc2211c5d2f84e87b44..03542a437e360598c7bcb691c625a9367a3a557c 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -79,3 +79,7 @@ pre-push:
files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
glob: 'data/removals/*.yml'
run: echo "Changes to removals files detected. Checking removals..\n"; bundle exec rake gitlab:docs:check_removals
+ secrets-detection:
+ tags: secrets
+ files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
+ run: 'if command -v ripsecrets > /dev/null 2>&1; then ripsecrets --strict-ignore {files}; else echo "WARNING: ripsecrets is not installed. Please install it."; fi'