diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..862a4df
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,14 @@
+title = "gh-action-readme gitleaks configuration"
+
+[extend]
+useDefault = true
+
+# Allowlist for test files and fixtures that intentionally contain placeholder tokens.
+# These are not real secrets and are used only for testing purposes.
+[[allowlists]]
+description = "Test fixture files containing placeholder tokens"
+paths = [
+  '''testutil/test_constants\.go''',
+  '''.*_test\.go''',
+  '''testdata/.*''',
+]
diff --git a/.gitleaksignore b/.gitleaksignore
index ee8eb5a..e8e758d 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -23,3 +23,6 @@ internal/wizard/validator_test.go:github-pat:204
 integration_test.go:github-pat:304
 internal/config_test.go:github-pat:133
 internal/config_test.go:github-pat:162
+testdata/yaml-fixtures/configs/global-config-default.yml:github-pat:4
+testutil/test_constants.go:github-pat:363
+testutil/test_constants.go:github-pat:455