diff --git a/.github/workflows/secrets.yaml b/.github/workflows/secrets.yaml
index ad60ee6..0932e59 100644
--- a/.github/workflows/secrets.yaml
+++ b/.github/workflows/secrets.yaml
@@ -13,6 +13,7 @@ jobs:
       - uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
-      - uses: "trufflesecurity/trufflehog@main"
+      # Pinned to SHA for supply chain security (main branch as of 2024)
+      - uses: "trufflesecurity/trufflehog@a633174c3b2242aa1b6f8941d2ad6a99e0305964"
         with:
           extra_args: "--results=verified,unknown"