diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 48cc08b..8960bb4 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -1,5 +1,5 @@
 ---
-# ci-sync: 2026-05-30T01:29:49Z
+# ci-sync: 2026-05-30T02:18:53Z
 # Homelab CI — Docker/heavy lane (git-ci-02)
 name: CI
 
@@ -42,7 +42,8 @@ jobs:
           for f in Dockerfile docker/**/Dockerfile */Dockerfile; do
             [ -f "$f" ] || continue
             found=1
-            docker run --rm -i hadolint/hadolint < "$f"
+            # Warnings (unpinned apt/pip) are advisory; only errors fail the job
+            docker run --rm -i hadolint/hadolint hadolint --failure-threshold error - < "$f"
           done
           [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint"
 
@@ -60,5 +61,9 @@ jobs:
           fetch-depth: 0
       - name: Gitleaks
         run: |
+          extra=""
+          if [ -f .gitleaks.toml ]; then
+            extra="--config /repo/.gitleaks.toml"
+          fi
           docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \
-            detect --source /repo --no-banner --redact
+            detect --source /repo --no-banner --redact ${extra}