diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..c0c99b2
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,13 @@
+title = "gh-action-readme gitleaks configuration"
+
+[extend]
+useDefault = true
+
+# Allowlist for test files and fixtures that intentionally contain placeholder tokens.
+# These are not real secrets and are used only for testing purposes.
+[allowlist]
+description = "Test fixture files containing placeholder tokens"
+paths = [
+	'''^testutil/test_constants\.go$''',
+	'''^testdata/''',
+]
diff --git a/.gitleaksignore b/.gitleaksignore
index ee8eb5a..e8e758d 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -23,3 +23,6 @@ internal/wizard/validator_test.go:github-pat:204
 integration_test.go:github-pat:304
 internal/config_test.go:github-pat:133
 internal/config_test.go:github-pat:162
+testdata/yaml-fixtures/configs/global-config-default.yml:github-pat:4
+testutil/test_constants.go:github-pat:363
+testutil/test_constants.go:github-pat:455