diff --git a/.github/workflows/trufflehog-scan.yml b/.github/workflows/trufflehog-scan.yml
new file mode 100644
index 0000000..87b4fba
--- /dev/null
+++ b/.github/workflows/trufflehog-scan.yml
@@ -0,0 +1,132 @@
+# Copyright (c) 2003-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved
+# TruffleHog Secret Scanning - Reusable Workflow
+# This workflow scans for secrets in pull request changes
+# Note: This workflow expects to be called from a pull_request event context
+name: TruffleHog Scan
+
+on:
+  workflow_call:
+
+jobs:
+  trufflehog-scan:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+      
+      - name: Prepare scan arguments
+        id: prep
+        shell: bash
+        run: |
+          set -e
+          ARGS=""
+          
+          # Option 1: Regex patterns file (advanced users)
+          if [ -f ".trufflehog-exclude" ]; then
+            ARGS="--exclude-paths=.trufflehog-exclude"
+            echo "Using regex exclusions: .trufflehog-exclude"
+          fi
+          
+          # Option 2: Glob patterns file (easier for most users)
+          if [ -f ".trufflehog-exclude-globs" ]; then
+            PATTERNS=$(grep -v '^#' .trufflehog-exclude-globs | grep -v '^[[:space:]]*$' | tr '\n' ',' | sed 's/,$//' || true)
+            if [ -n "$PATTERNS" ]; then
+              if [ -n "$ARGS" ]; then
+                ARGS="$ARGS --exclude-globs=$PATTERNS"
+              else
+                ARGS="--exclude-globs=$PATTERNS"
+              fi
+              echo "Using glob exclusions: $PATTERNS"
+            fi
+          fi
+          
+          if [ -z "$ARGS" ]; then
+            echo "No exclusion files found, scanning all files"
+          fi
+          
+          {
+            echo "args<<EOF"
+            echo "$ARGS"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+      
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          base: ${{ github.event.pull_request.base.sha }}
+          head: ${{ github.event.pull_request.head.sha }}
+          extra_args: ${{ steps.prep.outputs.args }}
+
+# ------------------------------------------------------------------------------
+# HOW TO EXCLUDE FILES/FOLDERS - TWO OPTIONS
+# ------------------------------------------------------------------------------
+#
+# OPTION 1 (RECOMMENDED): Glob Patterns - .trufflehog-exclude-globs
+# ------------------------------------------------------------------------------
+# Create a .trufflehog-exclude-globs file with glob patterns (one per line):
+#
+# Example .trufflehog-exclude-globs:
+#   # Exclude specific files
+#   src/config.example.env
+#   tests/data/secrets.txt
+#
+#   # Exclude by wildcard
+#   *.test.env
+#   *.example
+#   *.lock
+#
+#   # Exclude folders and subfolders
+#   tests/fixtures/**
+#   **/test_data/**
+#   node_modules/**
+#   dist/**
+#
+#   # Exclude documentation
+#   docs/**
+#   *.md
+#
+# Glob pattern rules:
+#   - ** matches any number of directories (recursive)
+#   - * matches any characters except /
+#   - One pattern per line
+#   - Lines starting with # are comments
+#
+# ------------------------------------------------------------------------------
+# OPTION 2 (ADVANCED): Regex Patterns - .trufflehog-exclude
+# ------------------------------------------------------------------------------
+# Create a .trufflehog-exclude file with regex patterns (one per line):
+#
+# Example .trufflehog-exclude:
+#   # Exclude specific files
+#   ^src/config\.example\.env$
+#   ^tests/data/secrets\.txt$
+#
+#   # Exclude by extension
+#   \.test\.env$
+#   \.example$
+#   \.lock$
+#
+#   # Exclude folders (any depth)
+#   ^tests/fixtures/
+#   /test_data/
+#   node_modules/
+#   ^dist/
+#
+#   # Exclude documentation
+#   ^docs/
+#   \.md$
+#
+# Regex pattern rules:
+#   - Use proper regex escaping (e.g., \. for literal dot)
+#   - ^ matches start of path, $ matches end
+#   - One pattern per line
+#   - Lines starting with # are comments
+#
+# ------------------------------------------------------------------------------
+# You can use both files simultaneously - patterns from both will be applied
+# ------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/templates/pr-workflow.yml b/templates/pr-workflow.yml
index 9dd50b5..7400d1c 100644
--- a/templates/pr-workflow.yml
+++ b/templates/pr-workflow.yml
@@ -20,4 +20,9 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-      issues: write
\ No newline at end of file
+      issues: write
+  trufflehog-scan:
+    name: TruffleHog Scan
+    uses: marklogic/pr-workflows/.github/workflows/trufflehog-scan.yml@main
+    permissions:
+      contents: read
\ No newline at end of file