diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 39b6e052..5ca9b0d1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,11 +34,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - uses: gitleaks/gitleaks-action@v2
-        if: ${{ github.ref == 'refs/heads/master' && matrix.target != 'home-manager' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Insall nix
         uses: cachix/install-nix-action@V27
         with:
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
new file mode 100644
index 00000000..04f069ef
--- /dev/null
+++ b/.github/workflows/check.yml
@@ -0,0 +1,16 @@
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # TODO: add nix flake check