diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0ea22e8..43ca9bc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -10,6 +10,8 @@ permissions:
   contents: read
   security-events: write
   packages: write   # útil si luego publicas en GHCR
+  discussions: write
+  pull-requests: write
 
 concurrency:
   group: devsecops-${{ github.ref }}
@@ -33,9 +35,10 @@ jobs:
     runs-on: self-hosted
     steps:
       - name: Clean gitleaks
-        run: rm /tmp/gitleaks.tmp   
+        run: rm -f /tmp/gitleaks.tmp   
       - uses: actions/checkout@v4
-        with: { fetch-depth: 0 }   # para análisis que miran historial
+        with:
+          fetch-depth: 0   # para análisis que miran historial
       - name: Gitleaks
         uses: gitleaks/gitleaks-action@v2
         env:
@@ -48,7 +51,7 @@ jobs:
     needs: [secrets]
     steps:
       - uses: actions/checkout@v4
-      - name: Semgrep (bloqueante)
+      - name: Semgrep (no bloqueante)
         run: |
           docker run --rm -v "$PWD:/src" returntocorp/semgrep:latest \
             semgrep scan --config p/ci --config .semgrep
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..8b59776
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,40 @@
+title = "gitleaks config"
+
+[extend]
+useDefault = true
+
+[[rules]]
+description = "AWS Access Key"
+id = "aws-access-key"
+regex = '''AKIA[0-9A-Z]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+id = "aws-secret-key"
+aregex = '''([^A-Za-z0-9/+=]{0,20}[A-Za-z0-9/+=]{40})?'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "Generic API Key"
+id = "generic-api-key"
+regex = '''key|token|secret|password.*=.*['\"][0-9a-zA-Z]{20,45}['\"]'''
+tags = ["key", "API"]
+
+[[rules]]
+description = "Private Key"
+id = "private-key"
+regex = '''-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----'''
+tags = ["key", "private"]
+
+[[rules]]
+description = "Password in URL"
+id = "password-in-url"
+regex = '''[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}["'\s]'''
+tags = ["password", "URL"]
+
+[[rules]]
+description = "Slack Token"
+id = "slack-token"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..3f3fe54
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,9 @@
+# Ignore specific patterns in JSON files
+**/*.json:prisidio_xapikey
+
+# Ignore specific values in JSON files
+**/*.json:{"prisidio_xapikey": "*"}
+
+# Ignore specific pattern
+*.toml
+.gitleaksignore
\ No newline at end of file
diff --git a/gitleaks.toml b/gitleaks.toml
deleted file mode 100644
index a3084aa..0000000
--- a/gitleaks.toml
+++ /dev/null
@@ -1,6 +0,0 @@
-title = "gitleaks config (demo)"
-[[rules]]
-id = "aws-access-key"
-description = "AWS Access Key ID"
-regex = '''AKIA[0-9A-Z]{16}'''
-tags = ["key", "AWS"]