diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml
new file mode 100644
index 0000000..209a422
--- /dev/null
+++ b/.github/workflows/gitleaks.yaml
@@ -0,0 +1,20 @@
+on:
+  pull_request:
+    branches:
+      - develop
+      - main
+  push:
+    tags:
+      - '*.*.*'
+      - '*.*.*-rc*'
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+            fetch-depth: 0
+
+      - name: Check for GitLeaks
+        uses: gacts/gitleaks@v1
\ No newline at end of file
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..554f57b
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,30 @@
+# -----------------------------------------------------------------------------
+# Gitleaks Configuration
+# -----------------------------------------------------------------------------
+title = "Gitleaks Configuration"
+
+# Extend the built-in default ruleset so we only add repo-specific allowlists.
+[extend]
+useDefault = true
+
+# -----------------------------------------------------------------------------
+# Allowlist (False Positives)
+# -----------------------------------------------------------------------------
+# Each allowlist is scoped to a single rule and a single exact file path.
+# This keeps the ignore surface minimal while allowing known test fixtures and
+# archived example content to pass secret scanning.
+
+[[allowlists]]
+description = "Allow GBK translation sequence false positive for Square access token"
+targetRules = ["square-access-token"]
+paths = [
+  '''^grumpy/reference/NC_000962\.3\.gbk''',
+  '''^reference/NZ_CP085945\.1\.gbk'''
+]
+
+[[allowlists]]
+description = "Allow GBK translation sequence false positive for alibaba access key ids"
+targetRules = ["alibaba-access-key-id"]
+paths = [
+  '''^reference/NZ_CP085945\.1\.gbk'''
+]
\ No newline at end of file