fix(security): replace custom secret detection with gitleaks

The hand-rolled check_secrets regex patterns produced false positives
on configKey test values, causing make security-full to fail.

Replace with gitleaks via go run for proper secret detection with
built-in rules and allowlist support for generated report files.

.gitleaks.toml

@@ -0,0 +1,15 @@
+# gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+#
+# Extends the built-in ruleset. Only allowlist overrides are defined here.
+
+[allowlist]
+  description = "Global allowlist for generated and report files"
+  paths = [
+    '''gosec-report\.json$''',
+    '''govulncheck-report\.json$''',
+    '''security-report\.json$''',
+    '''security-report\.md$''',
+    '''output\.json$''',
+    '''gibidify\.json$''',
+  ]