Some context for understanding the question: The secrets scanning feature, amongst other security scanners, uses CI/CD to scan and collect the results. The scan reports are available as MR widgets and vulnerability dashboards to take action upon. The CI/CD jobs themselves will not fail when something is detected - this needs a more granular approach with matching the security vulnerability with severities and CVEs for example. MRs can be blocked from merging when security vulnerabilities such as secrets are detected, using scan result policies.
Downloading the JSON report manually could work as well, but needs the reports artifact in the job scope. You can expose the JSON report as manual artifact for example.
A similar example with IaC SAST reports is described in Fantastic Infrastructure as Code security attacks and how to find them and in combination with How to use Security job artifacts in job dependencies? the following (untested) configuration should work:
secret_detection:
stage: secret_detection
artifacts:
paths:
- gl-secret-detection-report.json
reports:
secret_detection: gl-secret-detection-report.json
Validate Secret Detection:
stage: secret_detection
needs:
- "secret_detection"
artifacts:
paths:
- gl-secret-detection-report.json
Alternatively to needs
with artifacts
you could also use different stages and dependencies
to force the artifact download.