diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index 48d6d29..17919d0 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -21,10 +21,21 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          LATEST_TAG_NAME=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1].tag_name')
+          RELEASES=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1:3][].tag_name')
 
-          if [[ -z "$LATEST_TAG_NAME" || "$LATEST_TAG_NAME" == "null" ]]; then
-            echo "::error::Failed to fetch TruffleHog release info"
+          LATEST_TAG_NAME=""
+          for tag in $RELEASES; do
+            version="${tag#v}"
+            url="https://github.com/trufflesecurity/trufflehog/releases/download/${tag}/trufflehog_${version}_linux_amd64.tar.gz"
+            if curl --head --fail --silent --show-error --retry 2 --retry-delay 3 --retry-all-errors "$url" > /dev/null 2>&1; then
+              LATEST_TAG_NAME="$tag"
+              break
+            fi
+            echo "::warning::Release ${tag} assets unavailable, trying next"
+          done
+
+          if [[ -z "$LATEST_TAG_NAME" ]]; then
+            echo "::error::No usable TruffleHog release found"
             exit 1
           fi