diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index e2739dd..f45d28a 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -1,5 +1,5 @@
 ---
-# ci-sync: 2026-05-30T01:31:11Z
+# ci-sync: 2026-05-30T02:20:10Z
 # Homelab CI — baseline secret scan (git-ci-02)
 name: CI
 
@@ -38,5 +38,9 @@ jobs:
           fetch-depth: 0
       - name: Gitleaks
         run: |
+          extra=""
+          if [ -f .gitleaks.toml ]; then
+            extra="--config /repo/.gitleaks.toml"
+          fi
           docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \
-            detect --source /repo --no-banner --redact
+            detect --source /repo --no-banner --redact ${extra}