diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
index 7fc5c9507..38a93963f 100644
--- a/.github/workflows/security-scans.yml
+++ b/.github/workflows/security-scans.yml
@@ -52,4 +52,14 @@ jobs:
           }
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }}
-        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
\ No newline at end of file
+        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+    - name: Fail build if a secret is found
+    if: steps.trivy.outcome == 'failure'
+    run: |
+      echo "=========================================================="
+      echo "| This build has failed because Trivy detected a secret. |"
+      echo "=========================================================="
+      echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret."
+      echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding."
+      echo "3. If the finding is valid, the security team can help advise your next steps."
+      exit 1
\ No newline at end of file
diff --git a/trivy-secret.yaml b/trivy-secret.yaml
new file mode 100644
index 000000000..6affed4a4
--- /dev/null
+++ b/trivy-secret.yaml
@@ -0,0 +1,4 @@
+allow-rules:
+  - id: example/path/to/the/file.py
+    description: Why are you adding this as an exception?
+    path: example/path/to/the/file.py