diff --git a/.gitea/workflows/pr-check.yaml b/.gitea/workflows/pr-check.yaml
index 63c652d..d967e7d 100644
--- a/.gitea/workflows/pr-check.yaml
+++ b/.gitea/workflows/pr-check.yaml
@@ -26,6 +26,7 @@ jobs:
       - name: Run Gitleaks
         run: |
           gitleaks dir . \
+            --config-path .gitleaks.toml \
             --redact=10 \
             --verbose \
             --exit-code 1
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..d866f68
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,30 @@
+title = "Gitleaks Config"
+
+# ==========================
+# Allowlist / False Positive Rules
+# ==========================
+# [[allowlist]]
+# description = "Ignore placeholder secrets in README.md"
+# filepath = "README.md"
+# # Add all placeholder-like patterns that trigger false positives
+# regex = "cafebabe|deadbeef|DB_PASSWORD"
+
+[[allowlist]]
+description = "Ignore badge URLs in README"
+filepath = "README.md"
+regex = "https://img.shields.io"
+
+# ==========================
+# Rules
+# ==========================
+[[rules]]
+id = "generic-api-key"
+description = "Generic API Key"
+regex = "(?i)(api[_-]?key|secret|token)=\\S+"
+entropy = 3.5
+
+[[rules]]
+id = "sidekiq-secret"
+description = "Sidekiq Secret"
+regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
+entropy = 2.5
diff --git a/README.md b/README.md
index 1a9a5d9..0e32586 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@
 | Swap handling            |  ✅   |  ✅   |  ✅   |
 | Logrotate protection     |  ✅   |  ✅   |  ✅   |
 | Powertop auto-tune       |  ✅   |  ✅   |  ✅   |
-| API utilities            |  ✅   |  ✅   |  ✅   |
+| Utilities                |  ✅   |  ✅   |  ✅   |
 
 ## 📂 Directory Structure