Secret scanning in pre-commit hooks vs CI pipeline

Running gitleaks in pre-commit catches most leaks, but devs bypass with --no-verify. Running in CI catches them later, after the commit is pushed. What's the right balance? Should we block pushes entirely or just alert? Also: how to handle false positives on config files that look like secrets?