diff --git a/.github/workflows/trufflehog.yml.yml b/.github/workflows/trufflehog.yml.yml
new file mode 100644
index 0000000..08d83a9
--- /dev/null
+++ b/.github/workflows/trufflehog.yml.yml
@@ -0,0 +1,78 @@
+# Security scan for secrets using TruffleHog
+name: TruffleHog
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      # 1. Checkout the code
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # 2. Determine scan scope
+      - name: Set scan path
+        id: scan_path
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            CHANGED_FILES=$(git diff --name-only origin/${{ github.event.repository.default_branch }} HEAD | tr '\n' ' ')
+            echo "PATHS=$CHANGED_FILES" >> $GITHUB_ENV
+          else
+            echo "PATHS=./" >> $GITHUB_ENV
+          fi
+
+      # 3. Run TruffleHog scan
+      - name: TruffleHog OSS
+        id: trufflehog
+        run: |
+          trufflesecurity/trufflehog@main \
+            --path "${{ env.PATHS }}" \
+            --base "${{ github.event.repository.default_branch }}" \
+            --head HEAD \
+            --json --debug > trufflehog.json
+
+      # 4. Post results to PR (only runs for pull requests)
+      - name: Post results to PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const results = fs.readFileSync('trufflehog.json', 'utf8').trim();
+            const body = results.length > 0 
+              ? `🔍 **TruffleHog scan results:**\n\`\`\`json\n${results}\n\`\`\``
+              : '✅ No secrets found by TruffleHog.';
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body
+            });
+
+      # 5. Fail the build if secrets were found
+      - name: Fail if secrets found
+        run: |
+          if [ -s trufflehog.json ]; then
+            echo "❌ Secrets found!"
+            cat trufflehog.json
+            exit 1
+          else
+            echo "✅ No secrets found."
+          fi
diff --git a/packages/frontend/package.json b/packages/frontend/package.json
index 84d7065..97cacce 100644
--- a/packages/frontend/package.json
+++ b/packages/frontend/package.json
@@ -39,7 +39,7 @@
     "gsap": "^3.12.5",
     "lenis": "^1.1.16",
     "livepeer": "^3.4.0",
-    "lucide-react": "^0.424.0",
+    "lucide-react": "^0.474.0",
     "react": "^18.3.1",
     "react-animated-cursor": "^2.11.2",
     "react-calendar": "^5.1.0",