diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000..29ec89b
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,32 @@
+name: Pre-commit Checks
+
+on:
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  pre-commit:
+    name: Run pre-commit hooks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+
+      - name: Install pre-commit
+        run: pip install pre-commit
+
+      - name: Run pre-commit
+        run: pre-commit run --all-files --show-diff-on-failure
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 6f73d44..1e79def 100644
--- a/.gitignore
+++ b/.gitignore
@@ -179,7 +179,10 @@ celerybeat.pid
 *.sage.py
 
 # Environments
+# Local environment files may contain credentials
 .env
+.env.*
+!.env.example
 .venv
 env/
 venv/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..2055495
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.25.2
+    hooks:
+      - id: zizmor
+        exclude: ^\.github/workflows/run-samples\.yml$
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks
\ No newline at end of file
diff --git a/requirements-dev.txt b/requirements-dev.txt
index b57188b..9018bd6 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,4 +1,5 @@
 -r requirements-runtime.txt
+pre-commit
 pytest
 pytest-xdist
 pytest-timeout