diff --git a/.gitleaksignore b/.gitleaksignore
index f97f5c8..bf9d628 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -5,3 +5,7 @@ e876843351a025eb754ec61982c8b7d95deeb709:.pre-commit-config.yaml:ipv4:119
 e364bc1869c67729653c7efb4d6169f2294e68de:.pre-commit-config.yaml:ipv4:110
 62088509f98ce02ce379adef2168b867eecfb5da:.pre-commit-config.yaml:ipv4:110
 a3fa25da4e8f9eaa2e28c29f6196f23bfe87a58d:.pre-commit-config.yaml:ipv4:119
+# Historical false positive: example ARN comment in tags/main.tf contained hex-like content
+# which triggered the ipv6 rule. Comment updated in later commit; old commits suppressed here.
+7b49758d98757e8f404cb2c540c1f146afd6e395:infrastructure/modules/tags/main.tf:ipv6:131
+091dcd76884ffd307aee6c6b306b015c065f4896:infrastructure/modules/tags/main.tf:ipv6:131
diff --git a/infrastructure/modules/iam/README.md b/infrastructure/modules/iam/README.md
index d50dfb4..be3ae25 100644
--- a/infrastructure/modules/iam/README.md
+++ b/infrastructure/modules/iam/README.md
@@ -173,10 +173,10 @@ No providers.
 
 | Name | Source | Version |
 | ---- | ------ | ------- |
-| <a name="module_policies"></a> [policies](#module\_policies) | terraform-aws-modules/iam/aws//modules/iam-policy | 6.6.0 |
+| <a name="module_policies"></a> [policies](#module\_policies) | terraform-aws-modules/iam/aws//modules/iam-policy | 6.6.1 |
 | <a name="module_policy_label"></a> [policy\_label](#module\_policy\_label) | ../tags | n/a |
 | <a name="module_role_label"></a> [role\_label](#module\_role\_label) | ../tags | n/a |
-| <a name="module_roles"></a> [roles](#module\_roles) | terraform-aws-modules/iam/aws//modules/iam-role | 6.6.0 |
+| <a name="module_roles"></a> [roles](#module\_roles) | terraform-aws-modules/iam/aws//modules/iam-role | 6.6.1 |
 | <a name="module_this"></a> [this](#module\_this) | ../tags | n/a |
 
 ## Resources
diff --git a/infrastructure/modules/iam/main.tf b/infrastructure/modules/iam/main.tf
index 2c1e3b8..e31bb23 100644
--- a/infrastructure/modules/iam/main.tf
+++ b/infrastructure/modules/iam/main.tf
@@ -39,7 +39,7 @@ module "role_label" {
 
 module "policies" {
   source   = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version  = "6.6.0"
+  version  = "6.6.1"
   for_each = module.this.enabled ? var.policies : {}
 
   name        = module.policy_label[each.key].id
@@ -63,7 +63,7 @@ module "policies" {
 
 module "roles" {
   source   = "terraform-aws-modules/iam/aws//modules/iam-role"
-  version  = "6.6.0"
+  version  = "6.6.1"
   for_each = module.this.enabled ? var.roles : {}
 
   name            = module.role_label[each.key].id
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index 88884d6..bb694a3 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -129,7 +129,7 @@ module "lambda_with_layers" {
 
 | Name | Source | Version |
 | ---- | ------ | ------- |
-| <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | 8.7.0 |
+| <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | 8.8.0 |
 | <a name="module_this"></a> [this](#module\_this) | ../tags | n/a |
 
 ## Resources
diff --git a/infrastructure/modules/lambda/main.tf b/infrastructure/modules/lambda/main.tf
index 869cf83..250131d 100644
--- a/infrastructure/modules/lambda/main.tf
+++ b/infrastructure/modules/lambda/main.tf
@@ -5,7 +5,7 @@
 module "lambda_function" {
   source = "terraform-aws-modules/lambda/aws"
   # downgrade version as workaround for bug https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/733
-  version = "8.7.0"
+  version = "8.8.0"
 
   function_name          = local.function_name
   description            = var.function_description
diff --git a/infrastructure/modules/s3-bucket/README.md b/infrastructure/modules/s3-bucket/README.md
index eb41aab..c3260d0 100644
--- a/infrastructure/modules/s3-bucket/README.md
+++ b/infrastructure/modules/s3-bucket/README.md
@@ -107,7 +107,7 @@ No providers.
 
 | Name | Source | Version |
 | ---- | ------ | ------- |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.13.0 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.14.0 |
 | <a name="module_this"></a> [this](#module\_this) | ../tags | n/a |
 
 ## Resources
diff --git a/infrastructure/modules/s3-bucket/main.tf b/infrastructure/modules/s3-bucket/main.tf
index fe765e6..ee8ac56 100644
--- a/infrastructure/modules/s3-bucket/main.tf
+++ b/infrastructure/modules/s3-bucket/main.tf
@@ -17,7 +17,7 @@
 
 module "s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "5.13.0"
+  version = "5.14.0"
 
   create_bucket = module.this.enabled
 
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
index af5f0bb..8371dcb 100644
--- a/scripts/config/gitleaks.toml
+++ b/scripts/config/gitleaks.toml
@@ -11,8 +11,31 @@ regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'''
 [rules.allowlist]
 regexTarget = "match"
 regexes = [
-  # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS
-  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''',
+  # Exclude private/reserved IPv4 addresses and well-known DNS servers used in docs/examples.
+  # Includes RFC5737 TEST-NET ranges: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24
+  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|192\.0\.2\.[0-9]{1,3}|198\.51\.100\.[0-9]{1,3}|203\.0\.113\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)''',
+]
+
+[[rules]]
+description = "IPv6"
+id = "ipv6"
+# Matches valid IPv6 forms requiring at least 2 groups on each side of :: to
+# avoid false positives from AWS ARNs (which use :: between region and account).
+#   full:          2001:0db8:85a3:0000:0000:8a2e:0370:7334
+#   compressed:    2001:db8::1, fe80:db8::1
+#   trailing ::    fe80:db8:: (2+ groups required before ::)
+#   leading ::     ::db8:1    (2+ groups required after ::)
+# Note: RE2 does not support lookahead/lookbehind so boundary enforcement is
+# achieved structurally via minimum repetition counts.
+regex = '''(?i)(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){2,7}:|(?:[0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){1,5}(?::[0-9a-f]{1,4}){1,2}|(?:[0-9a-f]{1,4}:){1,4}(?::[0-9a-f]{1,4}){1,3}|(?:[0-9a-f]{1,4}:){1,3}(?::[0-9a-f]{1,4}){1,4}|(?:[0-9a-f]{1,4}:){1,2}(?::[0-9a-f]{1,4}){1,5}|[0-9a-f]{1,4}:(?::[0-9a-f]{1,4}){1,6}|:(?::[0-9a-f]{1,4}){2,7}'''
+
+[rules.allowlist]
+regexTarget = "match"
+regexes = [
+  # Exclude IPv6 documentation prefixes used in examples.
+  # RFC3849: 2001:db8::/32
+  # RFC9637: 3fff::/20 (3fff:0000:: to 3fff:0fff::)
+  '''(?i)(^|[^0-9a-f])(2001:db8:|3fff:0[0-9a-f]{0,3}:)''',
 ]
 
 [allowlist]