diff --git a/.github/scripts/file-whitelist-check.sh b/.github/scripts/file-whitelist-check.sh
index 344dd38dd..c42670e59 100755
--- a/.github/scripts/file-whitelist-check.sh
+++ b/.github/scripts/file-whitelist-check.sh
@@ -32,6 +32,7 @@ ALLOWED_PATTERNS=(
 "^\.coveragerc$"
 "^\.secrets\.baseline$"
 "^\.gitleaks\.toml$"
+"^\.gitleaksignore$"
 "^pytest\.ini$"
 "^LICENSE$"
 "^README$"
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index eab24cea6..0fb9efe65 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -39,3 +39,5 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_USERNAME: ${{ github.actor }}
         GITHUB_REPOSITORY: ${{ github.repository }}
+        GITLEAKS_CONFIG: .gitleaks.toml
+        GITLEAKS_BASELINE_PATH: .gitleaksignore
diff --git a/.gitignore b/.gitignore
index 2252720b1..c181b333a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -68,6 +68,7 @@
 .*/
 !.github/
 !.github/**
+!.gitleaksignore
 
 # Allow installer files only in installers directory
 !installers/**/*.bat
diff --git a/.gitleaks.toml b/.gitleaks.toml
index d0765bf2d..3e18407e8 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -56,7 +56,8 @@ keywords = ["BEGIN PRIVATE KEY", "BEGIN RSA PRIVATE KEY", "BEGIN OPENSSH PRIVATE
 [[rules]]
 description = "Generic secret/password pattern"
 id = "generic-secret"
-regex = '''(?i)(password|secret|token|key)\s*[:=]\s*['"]?[a-zA-Z0-9_\-@#$%^&*]{8,}['"]?'''
+regex = '''(?i)(password|secret|token|key)\s*[:=]\s*['"]?([a-zA-Z0-9_\-@#$%^&*]{8,})['"]?'''
+secretGroup = 2
 keywords = ["password", "secret", "token", "key"]
 
 # Allowlist - exclude common false positives
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 000000000..bc432e275
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,16 @@
+# Gitleaks Baseline - Known False Positives
+# This file contains fingerprints of known false positives that should be ignored.
+# Format: commit:file:rule:line
+
+# README.md placeholder API key examples (not actual secrets)
+# These are documentation examples showing users how to set environment variables
+792da694efe22304469ec22ff46201080791e3a6:README.md:generic-secret:61
+792da694efe22304469ec22ff46201080791e3a6:README.md:generic-secret:62
+27539371e7d2b2b6edb63bc238a6c0347fafef0c:README.md:generic-secret:61
+27539371e7d2b2b6edb63bc238a6c0347fafef0c:README.md:generic-secret:62
+
+# .env.template placeholder values (not actual secrets)
+# Template files showing users what environment variables to set
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:2
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:4
+02042634506c377e86161cc2ce038eb8c19f10f3:.env.template:generic-secret:5
diff --git a/.pre-commit-hooks/file-whitelist-check.sh b/.pre-commit-hooks/file-whitelist-check.sh
index e01f0edb7..c8d10ce62 100755
--- a/.pre-commit-hooks/file-whitelist-check.sh
+++ b/.pre-commit-hooks/file-whitelist-check.sh
@@ -30,6 +30,7 @@ ALLOWED_PATTERNS=(
   "^\.coveragerc$"
   "^\.secrets\.baseline$"
   "^\.gitleaks\.toml$"
+  "^\.gitleaksignore$"
   "^\.semgrepignore$"
   "^\.trivyignore$"
   "\.semgrep/.*\.yml$"