diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml
index 99ed3d7..818b12f 100644
--- a/gitleaks/config/gitleaks.base.toml
+++ b/gitleaks/config/gitleaks.base.toml
@@ -1,36 +1,38 @@
 # Centralized Gitleaks configuration for all Deckhouse repositories
 # This file is distributed via modules-actions/gitleaks action
-# 
-# Repositories can extend this config by creating local .gitleaks.toml:
+#
+# CI downloads this to /tmp/gitleaks.base.toml. Repositories can extend it:
 #   [extend]
 #   useDefault = false
 #   path = "/tmp/gitleaks.base.toml"
+#
+# If no local .gitleaks.toml exists, CI uses this base config only.
 
 # Use default Gitleaks rules
 [extend]
 useDefault = true
 
-# Global allowlists
+# Global allowlists (merged with default config)
 [allowlist]
 
 # === Safe files/directories ===
-# NOTE: Use exact paths, NOT glob patterns like **/go.mod
-
 paths = [
     # Go dependencies - public hashes
     "go.mod",
     "go.sum",
-    
-    # Specific files with known false positives
-    # "modules/101-cert-manager/docs/USAGE.md",
-    # "modules/101-cert-manager/docs/USAGE_RU.md",
+
+    # Storage modules - common allowlist
+    '''(?:^|/)images/.*patches.*\.patch$''',
+    '''(?:^|/)test-secret\.txt$''',
+    '''(?:^|/)e2e/.*''',
+    '''(?:^|/).*_test\.go$''',
 ]
 
 # === Safe patterns ===
 regexes = [
     # Go module checksums - always public
     '''h1:[A-Za-z0-9+/=]{40,}''',
-    
+
     # Public certificates (only ca.crt, NOT private keys!)
     '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',
     
diff --git a/scripts/go_linter.sh b/scripts/go_linter.sh
index f90000c..e83ac5e 100644
--- a/scripts/go_linter.sh
+++ b/scripts/go_linter.sh
@@ -39,6 +39,14 @@ section_start "install_linter" "Installing golangci-lint@$linter_version"
 curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b . $linter_version
 section_end "install_linter"
 
+# Migrate .golangci config to v2 format if needed (golangci-lint v2 requires version: "2")
+for config in .golangci.yaml .golangci.yml; do
+    if [ -f "$config" ] && ! grep -q 'version:.*"2"' "$config" 2>/dev/null; then
+        echo "Migrating $config to golangci-lint v2 format..."
+        ./golangci-lint migrate -c "$config" --skip-validation 2>/dev/null || true
+    fi
+done
+
 basedir=$(pwd)
 failed='false'
 
diff --git a/scripts/go_test_coverage.sh b/scripts/go_test_coverage.sh
index 8457666..e7d1efa 100644
--- a/scripts/go_test_coverage.sh
+++ b/scripts/go_test_coverage.sh
@@ -14,6 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Fix covdata tool lookup with Go 1.25 toolchain switching
+export GOTOOLCHAIN=auto
+
 if [ ! -d "images" ]; then
     echo "No images/ directory found. Please run this script from the root of the repository."
     exit 1