diff --git a/README.md b/README.md
index ae9aec8..7acbe5a 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ Note: For a worked-through example, see next section.
         - CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups`
             - Reminder: Group Name usually corresponds to Repository Name
     1.  Update sops config AND all secrets files:
-        - CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g <group_name> $(find . -name secrets.yaml)`
+        - CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group <group_name> --find_secrets
 1. **Commit the changes, Create Change Request (PR/MR)**
     1. git: commit the changes to `.sops.yaml` and secrets files (`secrets.yaml`) files
         - CLI: `git add .sops.yaml $(find . -name secrets.yaml)`
@@ -132,7 +132,7 @@ devnso-adp-argocd
 
 # For a given group, update sops config AND all secrets files - New Users cannot add themselves!
 # Output:
-% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml)
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group devnso-adp-argocd --find_secrets
 # RUN: generate SOPS config
 # RUN: gpg --import *.gpg.pub
 # RUN: sops updatekeys ./loki/loki/secrets.yaml
@@ -218,7 +218,7 @@ find groups/ -name ${keyname}
 # For each group, update sops config in that repo
 # Example:
 % cd devnso-adp-argocd
-% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml)
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group devnso-adp-argocd --find_secrets
 # now git commit, push, etc
 ```
 
diff --git a/bin/update_sops.sh b/bin/update_sops.sh
index f2bf8cf..bbb0407 100755
--- a/bin/update_sops.sh
+++ b/bin/update_sops.sh
@@ -124,18 +124,17 @@ function main(){
   fi
   # "anchor" for actions relevant to this script
   repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)"
+
   # OPTIONS: ARGPARSING and VALIDATION
   # assume location of script as running directly from repo with keys (instead of as a standalone packaged tool)
   keyfiles_dir="${repo_root}"
-  # assume location of secrets config file in pwd
+  # dir containing .sops.yaml
   sops_config_dir=""
   # path to group definitions
   groups_def_dir="${repo_root}/groups"
-  # optional:
   opt_list_groups=0
-  # optional: specify "groups"
   groups_list=()
-  # optional: secrets files to be updated
+  opt_find_secrets=0
   secrets_file_list=()
 
   while (( $# >= 1 ));do
@@ -151,6 +150,8 @@ function main(){
       -lg|--list_groups) opt_list_groups=1 ;;
       # ARGS: [optional] [list] specify "groups" which correspond to e.g. job groups, projects, etc
       -g|--group) groups_list+=( "${2}" ); shift ;;
+      # ARGS: [optional] update all "secrets.yaml" files found below .sops.yaml location
+      -f|--find_secrets) opt_find_secrets=1;;
       # ARGS: [optional] [list] specify files containing sops-encrypted secrets
       -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;;
       # ARGS: [optional] [list] specify files containing sops-encrypted secrets
@@ -184,12 +185,22 @@ function main(){
     # locate appropriate sops config if default assumption not found
     # dev note: '2> /dev/null' to disable debug output
     sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)"
+    sops_config_dir="$(dirname "${sops_config}")"
   fi
+
+  # Paths to Secrets Files
   if [[ "${#secrets_file_list[@]}" != "0" ]]; then
     for secrets_file in "${secrets_file_list[@]}"; do
       test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1)
     done
   fi
+  if [[ "${opt_find_secrets}" -eq 1 ]]; then
+    # DEV NOTE: this is far too complicated
+    # loop through find, src: https://stackoverflow.com/questions/9612090/how-to-loop-through-file-names-returned-by-find
+    while IFS= read -r -d $'\0'; do
+      secrets_file_list+=("${REPLY}")
+    done < <( find "${sops_config_dir}" -name secrets.yaml -print0 )
+  fi
   # /VALIDATE INPUTS
   # /OPTIONS: ARGPARSING and VALIDATION
 
diff --git a/verify/test.sh b/verify/test.sh
index fdb721d..4a023ba 100755
--- a/verify/test.sh
+++ b/verify/test.sh
@@ -77,6 +77,41 @@ else
   >&2 echo "# INFO: skipping ...."
 fi
 
+# ---
+if [[ 1 -eq 1 ]]; then
+  >&2 echo -e "# ---\n# TEST: auto-find secrets files"
+  # SETUP
+  _tmp_mock_secrets_dir='mock_hierarchy'
+  _tmp_mock_secrets_filepath_1="${_tmp_mock_secrets_dir}/one/secrets.yaml"
+  mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_1}")"
+  touch "${_tmp_mock_secrets_filepath_1}"
+  _tmp_mock_secrets_filepath_2='mock_hierarchy/Tw o/secrets.yaml'
+  mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_2}")"
+  touch "${_tmp_mock_secrets_filepath_2}"
+  # RUN
+  # set -x
+  # suspend strict: check output for errors
+  set +e
+  # move 'set -x' within the sub-shell, otherwise all output dumped to tty
+  # ... bug: stderr still gets printed, not sure why. E.g. '# RUN: sops updatekeys mock_secrets.yaml'
+  _out="$(set -x; ../bin/update_sops.sh --find_secrets -s "${secrets_file}" 2>&1 )"
+  echo "$_out}"
+  # re-enable strict
+  set -e
+  set +x
+  grep "${_tmp_mock_secrets_filepath_1}" <<< "${_out}"
+  grep "${_tmp_mock_secrets_filepath_2}" <<< "${_out}"
+  grep "${secrets_file}" <<< "${_out}"
+  set -e
+  # TEARDOWN
+  set -x
+  rm -rf "${_tmp_mock_secrets_dir}"
+  # enmesh: restore, since this particular one is checked in
+  git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
+else
+  >&2 echo "# INFO: skipping ...."
+fi
+
 # ---
 if [[ 1 -eq 1 ]]; then
   >&2 echo -e "# ---\n# TEST: induce error: invalid file"