diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index e6ffb49..962a48d 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    # Skip on PRs from forks: GITLEAKS_LICENSE is not exposed to fork PRs,
+    # so gitleaks-action fails. Fork contributions still get scanned on push to main.
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - uses: actions/checkout@v4
         with: