diff --git a/.gitallowed b/.gitallowed
new file mode 100644
index 0000000..72ef001
--- /dev/null
+++ b/.gitallowed
@@ -0,0 +1 @@
+arn:aws:sns:[a-z0-9-]+:[0-9]{12}:[a-z0-9-]+
diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml
new file mode 100644
index 0000000..34085c6
--- /dev/null
+++ b/.github/workflows/secrets.yml
@@ -0,0 +1,11 @@
+name: Source safety
+on:
+  pull_request:
+  push:
+jobs:
+  secrets:
+    name: Check for secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: nationalarchives/tdr-github-actions/.github/actions/run-git-secrets@main