diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index 65dde0b..dc7ab4f 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -76,7 +76,7 @@ jobs:
         # HIGH RISK historically ran as @main (moving HEAD of third-party action).
         # Now pinned to v3.94.3 commit SHA. Re-pin manually before bumping — never
         # go back to @main, @master, or any moving tag on a third-party action.
-        uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6  # v3.94.3
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab  # v3.95.3
         with:
           # Scan the whole working tree. `--only-verified` suppresses noisy
           # unverified hits; the action wrapper appends `--fail` itself, so