Harden CI scan output

.gitlab-ci.yml

@@ -10,12 +10,15 @@ verify:no_secrets:
     - |
       set +e
       secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})'
-      git grep -nE "$secret_re" -- .
+      matches="$(git grep -lE "$secret_re" -- .)"
       status=$?
       set -e
 
       if [ "$status" -eq 0 ]; then
-        echo "❌ Potential secret detected. Remove it or encrypt it into vault/."
+        echo "❌ Potential secret detected in:"
+        echo "$matches"
+        echo
+        echo "Remove it or encrypt it into vault/."
         exit 1
       elif [ "$status" -ne 1 ]; then
         echo "❌ Secret scan failed (git grep exit $status)."