diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 456035e3cb7..d3938e68b69 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -2,8 +2,9 @@ name: gitleaks
 
 on:
   push:
-    branches:
-      - 'main'
+    branches: ['main']
+    tags: ['v*']
+  pull_request:
 
 
 permissions:
@@ -14,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
+        with:
+          fetch-depth: 0
       - uses: gitleaks/gitleaks-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/grype.yml b/.github/workflows/grype.yml
index ad8421dcdd6..40d01966117 100644
--- a/.github/workflows/grype.yml
+++ b/.github/workflows/grype.yml
@@ -2,7 +2,9 @@ name: "grype"
 
 on:
   push:
-    branches: [ main ]
+    branches: ['main']
+    tags: ['v*']
+  pull_request:
 
 jobs:
   scan-source:
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 00000000000..4e785b93b24
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,5 @@
+[[rules]]
+id = "ignore-testdata"
+[rules.allowlist]
+paths = ['''.*/testdata/*''']
+