The file was created on security/scorecard-hardening branch but only
the ci.yml change was cherry-picked to main — the config file itself
was left behind. CI references --config .gitleaks.toml which caused
the Security job to fail.
Adds allowlist for test placeholder tokens (nra_00112233...) that
trigger generic-api-key false positives.
