diff --git a/sdk/templates/ci_dev.gitlab-ci.yml b/sdk/templates/ci_dev.gitlab-ci.yml
index 5af34fd1d220ea47f3905df930c19047ecaabbc0..b00cd24fd45d8f6938cc5317944047fdca4481f1 100644
--- a/sdk/templates/ci_dev.gitlab-ci.yml
+++ b/sdk/templates/ci_dev.gitlab-ci.yml
@@ -22,11 +22,25 @@ dev_secrets_in_repo:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
       when: never
     - when: always
+  # script:
+  #   - |
+  #     pip install trufflehog
+  #     cd ../
+  #     trufflehog filesystem sdk --exclude-paths sdk/cicd/exclusions --max-depth 5
   script:
     - |
-      pip install trufflehog
-      cd ../
-      trufflehog filesystem sdk --exclude-paths sdk/cicd/exclusions --max-depth 5
+      set -euo pipefail
+
+      # 1) Descargar trufflehog v3 (binario) en vez del "trufflehog" de pip (v2)
+      TRUF_VER="v3.82.0"
+      ARCH="linux_amd64"   # si tus runners son amd64
+      curl -sSL -o /tmp/trufflehog.tgz "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUF_VER}/trufflehog_${TRUF_VER#v}_${ARCH}.tar.gz"
+      tar -xzf /tmp/trufflehog.tgz -C /usr/local/bin trufflehog
+      trufflehog --version
+
+      # 2) Ejecutar scan sobre la carpeta sdk
+      # OJO: usa el fichero real de exclusiones (ajusta si no está en cicd/exclusions)
+      trufflehog filesystem sdk --exclude-paths cicd/exclusions --max-depth 5
   <<: *dev_common
 
 # define the process to do linting code: ruff
diff --git a/sdk/templates/ci_staging.gitlab-ci.yml b/sdk/templates/ci_staging.gitlab-ci.yml
index d3c5e56cd6b0bce7f92d54f806ca39cdce95a0d1..736a85e18925b6b513d5e40a1e00de670d299fcd 100644
--- a/sdk/templates/ci_staging.gitlab-ci.yml
+++ b/sdk/templates/ci_staging.gitlab-ci.yml
@@ -31,11 +31,22 @@ variables:
 
 staging_secrets_in_repo:
   stage: staging_secrets_in_repo
+  # script:
+  #   - |
+  #     pip install trufflehog
+  #     cd ../
+  #     trufflehog filesystem capif --exclude-paths capif/cicd/exclusions --max-depth 5
   script:
     - |
-      pip install trufflehog
-      cd ../
-      trufflehog filesystem capif --exclude-paths capif/cicd/exclusions --max-depth 5
+      set -euo pipefail
+
+      TRUF_VER="v3.82.0"
+      ARCH="linux_amd64"
+      curl -sSL -o /tmp/trufflehog.tgz "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUF_VER}/trufflehog_${TRUF_VER#v}_${ARCH}.tar.gz"
+      tar -xzf /tmp/trufflehog.tgz -C /usr/local/bin trufflehog
+      trufflehog --version
+
+      trufflehog filesystem capif --exclude-paths cicd/exclusions --max-depth 5
   <<: *staging_common
 
 # define the process to do linting code: ruff