From 042b2c867ddf66bb29412ceba8c62f2238ba4289 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Fri, 6 Mar 2026 14:41:23 -0500
Subject: [PATCH] Docs: clarify main secret scan behavior

---
 docs/gateway/security/index.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md
index 3f830823b51..c62b77352e8 100644
--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -1159,9 +1159,9 @@ If your AI does something bad:
 ## Secret Scanning (detect-secrets)
 
 CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
-It checks changed files when a base commit is available, and falls back to an
-all-files scan otherwise. If it fails, there are new candidates not yet in the
-baseline.
+Pushes to `main` always run an all-files scan. Pull requests use a changed-file
+fast path when a base commit is available, and fall back to an all-files scan
+otherwise. If it fails, there are new candidates not yet in the baseline.
 
 ### If CI fails