diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index 870962fbb37683a9a0328f7aced7e84dae571673..18ef9b9a48cf4f0db36bc5896c1df873937d3313 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -30,4 +30,6 @@ else
 fi
 '
 
-nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
+# vulnix exits with an error status if there are vulnerabilities.  we don't
+# want to fail the job in that case because then we can't see the report.
+nix-shell -p vulnix --run 'vulnix ./scan-target/ || true' | tee "$OUTPUT"