diff --git a/.github/workflows/config/.secrets.baseline b/.github/workflows/config/.secrets.baseline
new file mode 100644
index 0000000000..c40fcb1eca
--- /dev/null
+++ b/.github/workflows/config/.secrets.baseline
@@ -0,0 +1,241 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".github/workflows/config/.secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "pyproject\\.toml|\\.github/workflows/config/\\.secrets\\.baseline"
+      ]
+    }
+  ],
+  "results": {
+    ".github/workflows/cicd-main.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/cicd-main.yml",
+        "hashed_secret": "0de7d8c7d76191fdcb236d3c62be9adf20424ca2",
+        "is_verified": false,
+        "line_number": 284
+      }
+    ],
+    "CONTRIBUTING.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "CONTRIBUTING.md",
+        "hashed_secret": "999d493295471df21f917fdc49321086466edf87",
+        "is_verified": false,
+        "line_number": 58,
+        "is_secret": false
+      }
+    ],
+    "docker/manifest.json": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "docker/manifest.json",
+        "hashed_secret": "7ae58d0f08b842ce4d8de7c9ae79feca070eb79e",
+        "is_verified": false,
+        "line_number": 5,
+        "is_secret": false
+      }
+    ],
+    "scripts/training/launch_with_sbatch.sh": [
+      {
+        "type": "Secret Keyword",
+        "filename": "scripts/training/launch_with_sbatch.sh",
+        "hashed_secret": "5d961f73a9b6f9dc9884e659e013d76631e13dbf",
+        "is_verified": false,
+        "line_number": 87,
+        "is_secret": false
+      }
+    ],
+    "tests/functional_tests/training/test_load_model.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tests/functional_tests/training/test_load_model.py",
+        "hashed_secret": "906b706cb02260b7de67df2a36315ae2fb2ab27d",
+        "is_verified": false,
+        "line_number": 41,
+        "is_secret": false
+      }
+    ],
+    "tests/unit_tests/recipes/test_run_plugins.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/unit_tests/recipes/test_run_plugins.py",
+        "hashed_secret": "767ef7376d44bb6e52b390ddcd12c1cb1b3902a4",
+        "is_verified": false,
+        "line_number": 521,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/unit_tests/recipes/test_run_plugins.py",
+        "hashed_secret": "00942f4668670f34c5943cf52c7ef3139fe2b8d6",
+        "is_verified": false,
+        "line_number": 882,
+        "is_secret": false
+      }
+    ],
+    "tutorials/data/dclm/data_pipeline.ipynb": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tutorials/data/dclm/data_pipeline.ipynb",
+        "hashed_secret": "518f01d26deb33a16a9750232754e8950c8fc698",
+        "is_verified": false,
+        "line_number": 69,
+        "is_secret": false
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tutorials/data/dclm/data_pipeline.ipynb",
+        "hashed_secret": "a307fa66e51942700c4023ae0a4745654e768735",
+        "is_verified": false,
+        "line_number": 129,
+        "is_secret": false
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tutorials/data/dclm/data_pipeline.ipynb",
+        "hashed_secret": "8bc0e0ae33dd981ff58e4a06e0392c87d1bda9e5",
+        "is_verified": false,
+        "line_number": 136,
+        "is_secret": false
+      }
+    ],
+    "tutorials/training/reduced_precision_training.ipynb": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tutorials/training/reduced_precision_training.ipynb",
+        "hashed_secret": "9e399440a1f7957a428b39d3a61d249f64401780",
+        "is_verified": false,
+        "line_number": 122,
+        "is_secret": false
+      }
+    ]
+  },
+  "generated_at": "2026-01-29T20:01:40Z"
+}
diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
new file mode 100644
index 0000000000..874f6bd598
--- /dev/null
+++ b/.github/workflows/detect-secrets.yml
@@ -0,0 +1,21 @@
+# Copyright (c) 2026 NVIDIA CORPORATION.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: Secrets detector
+
+on:
+  pull_request:
+
+jobs:
+  secrets-detector:
+    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_secrets-detector.yml@v0.70.0