diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1e3186bf5158b5bd0a4e78dec9327a8679f3b3d1..a41c0314f40946cf744c1b0542be9215f055292b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,6 +10,7 @@ unit-tests:
 
 vulnerability-scan:
   stage: "test"
+  allow_failure: true
   script:
     - "ci-tools/vulnerability-scan security-report.txt"
   artifacts:
diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index 18ef9b9a48cf4f0db36bc5896c1df873937d3313..bc87cbd543ed8bce5b463437eb2fc75317978442 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -30,6 +30,7 @@ else
 fi
 '
 
-# vulnix exits with an error status if there are vulnerabilities.  we don't
-# want to fail the job in that case because then we can't see the report.
-nix-shell -p vulnix --run 'vulnix ./scan-target/ || true' | tee "$OUTPUT"
+# vulnix exits with an error status if there are vulnerabilities.  We told
+# GitLab to allow this by setting `allow_failure` to true in the GitLab CI
+# config.
+nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"