diff --git a/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml b/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml
new file mode 100644
index 00000000..8a215a23
--- /dev/null
+++ b/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml
@@ -0,0 +1,45 @@
+# This stub runs only the TruffleHog scan as part of CI checks on pull requests to main branch.
+
+name: CI Pull Request – TruffleHog Only
+
+on: 
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  call-ci-main-pr-check-pipeline:
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
+    secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+    with:   
+      visibility: ${{ github.event.repository.visibility }}
+
+      # Enabled features
+      perform-trufflehog-scan: true
+      generate-sbom: true
+      export-github-sbom: true
+
+      # All other features
+      perform-complexity-checks: false
+      perform-language-linting: false
+      perform-blackduck-polaris: false
+      perform-blackduck-sca-scan: false
+      build: false
+      unit-tests: false
+      perform-sonarqube-scan: false
+      report-to-atlassian-dashboard: false
+      package-binaries: false
+      habitat-build: false
+      publish-packages: false
+      generate-blackduck-sbom: false
+      generate-msft-sbom: false
+      license_scout: false