diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index 0dd5116c6e..d881a08a5c 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -1,17 +1,33 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
+# These scan results are run as part of CRT workflows.
+
+# Un-triaged results will block release. See `security-scanner` docs for more
+# information on how to add `triage` config to unblock releases for specific results.
+# In most cases, we should not need to disable the entire scanner to unblock a release.
+
+# To run manually, install scanner and then from the repository root run
+# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...`
+# To scan a local container, add `local_daemon = true` to the `container` block below.
+# See `security-scanner` docs or run with `--help` for scan target syntax.
+
 container {
 	dependencies = true
 	alpine_secdb = false
-	secrets      = false
+
+	secrets {
+		all = true
+	}
 }
 
 binary {
-	secrets      = false
-	go_modules   = false
+	go_modules   = true
 	osv          = true
-	# TODO(spatel): CE refactor
 	oss_index    = true
 	nvd          = true
+	
+	secrets {
+		all = true
+	}
 }