diff --git a/bin/update_sops.sh b/bin/update_sops.sh
index 8627645..98a1eac 100755
--- a/bin/update_sops.sh
+++ b/bin/update_sops.sh
@@ -134,6 +134,7 @@ function main(){
   groups_def_dir="${repo_root}/groups"
   opt_list_groups=0
   groups_list=()
+  opt_find_secrets=0
   secrets_file_list=()
 
   while (( $# >= 1 ));do
@@ -149,6 +150,8 @@ function main(){
       -lg|--list_groups) opt_list_groups=1 ;;
       # ARGS: [optional] [list] specify "groups" which correspond to e.g. job groups, projects, etc
       -g|--group) groups_list+=( "${2}" ); shift ;;
+      # ARGS: [optional] update all "secrets.yaml" files found below .sops.yaml location
+      -f|--find_secrets) opt_find_secrets=1;;
       # ARGS: [optional] [list] specify files containing sops-encrypted secrets
       -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;;
       # ARGS: [optional] [list] specify files containing sops-encrypted secrets
@@ -182,12 +185,19 @@ function main(){
     # locate appropriate sops config if default assumption not found
     # dev note: '2> /dev/null' to disable debug output
     sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)"
+    sops_config_dir="$(basename "${sops_config}")"
   fi
+
+  # Paths to Secrets Files
   if [[ "${#secrets_file_list[@]}" != "0" ]]; then
     for secrets_file in "${secrets_file_list[@]}"; do
       test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1)
     done
   fi
+  if [[ "${opt_find_secrets}" -eq 1 ]]; then
+    found_secrets_file_list="$(find "${sops_config_dir}" -name secrets.yaml)"
+    secrets_file_list+=("$(find "${sops_config_dir}" -name secrets.yaml)")
+  fi
   # /VALIDATE INPUTS
   # /OPTIONS: ARGPARSING and VALIDATION
 
diff --git a/verify/test.sh b/verify/test.sh
index fdb721d..c5b3665 100755
--- a/verify/test.sh
+++ b/verify/test.sh
@@ -77,6 +77,33 @@ else
   >&2 echo "# INFO: skipping ...."
 fi
 
+# ---
+if [[ 1 -eq 1 ]]; then
+  >&2 echo -e "# ---\n# TEST: auto-find secrets files"
+  # SETUP
+  _tmp_mock_secrets_filepath='mock_hierarchy/secrets.yaml'
+  mkdir -p "$(dirname "${_tmp_mock_secrets_filepath}")"
+  touch "${_tmp_mock_secrets_filepath}"
+  # RUN
+  # set -x
+  # suspend strict: check output for errors
+  set +e
+  # move 'set -x' within the sub-shell, otherwise all output dumped to tty
+  # ... bug: stderr still gets printed, not sure why. E.g. '# RUN: sops updatekeys mock_secrets.yaml'
+  _out="$(set -x; ../bin/update_sops.sh -c "${PWD}" --find_secrets 2>&1 )"
+  # re-enable strict
+  set -e
+  set +x
+  grep "${_tmp_mock_secrets_filepath}" <<< "${_out}"
+  set -e
+  # TEARDOWN
+  rm -rf "${_tmp_mock_secrets_filepath}" 
+  # enmesh: restore, since this particular one is checked in
+  git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
+else
+  >&2 echo "# INFO: skipping ...."
+fi
+
 # ---
 if [[ 1 -eq 1 ]]; then
   >&2 echo -e "# ---\n# TEST: induce error: invalid file"