diff --git a/.github/scripts/ci-health-check.sh b/.github/scripts/ci-health-check.sh
index 3b003d4..094a19c 100755
--- a/.github/scripts/ci-health-check.sh
+++ b/.github/scripts/ci-health-check.sh
@@ -2,21 +2,43 @@
 # ci-health-check.sh — Scan all privilegedescalation repos for CI/CD health
 # Run from: /paperclip/privilegedescalation/engineering/hugh
 # Requires: GH_TOKEN set (use: export GH_TOKEN=$(bash ./get-github-token.sh))
+#
+# Plugin repo discovery
+# ---------------------
+# PLUGIN_REPOS is populated dynamically from the GitHub org so newly created
+# plugin repos are picked up automatically. The filter is:
+#   - non-archived, public repos in the privilegedescalation org
+#   - name starts with "headlamp-"
+#   - excludes "headlamp-agent-skills" (skills bundle, not a Headlamp plugin)
+# If discovery fails (network error, GH_TOKEN missing, API outage), we fall
+# back to a hardcoded list so the health check still produces a useful report.
 set -euo pipefail
 
 ORG="privilegedescalation"
 
-PLUGIN_REPOS=(
+# Hardcoded fallback — kept in sync manually as a safety net for discovery failures.
+PLUGIN_REPOS_FALLBACK=(
   headlamp-polaris-plugin
   headlamp-rook-plugin
   headlamp-sealed-secrets-plugin
   headlamp-intel-gpu-plugin
   headlamp-tns-csi-plugin
   headlamp-kube-vip-plugin
-  headlamp-argocd-plugin
   headlamp-plugin-template
+  headlamp-argocd-plugin
 )
 
+mapfile -t PLUGIN_REPOS < <(
+  gh api --paginate "orgs/${ORG}/repos" \
+    --jq '.[] | select(.archived == false and .visibility == "public" and (.name | startswith("headlamp-")) and .name != "headlamp-agent-skills") | .name' \
+    2>/dev/null | sort
+)
+
+if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then
+  echo "WARNING: dynamic repo discovery returned no results — using hardcoded fallback" >&2
+  PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}")
+fi
+
 echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="
 echo ""