diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e0f606d90f25249db2cba26348181384327620a8..d92b5037f0e18d0291065c56a5f96b2eb2917f5b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,19 +10,11 @@ unit-tests:
 
 vulnerability-scan:
   stage: "test"
-  allow_failure:
-    # https://docs.gitlab.com/ee/ci/yaml/README.html#allow_failureexit_codes
-    exit_codes:
-      # Allow *some* exit codes through without treating them as
-      # pipeline-failing conditions.
-      # https://github.com/flyingcircusio/vulnix/blob/master/doc/vulnix.1.md
-
-      # All found errors are whitelisted
-      - 1
-      # Vulnerabilities found, but still, please don't halt the build.
-      - 2
-
-
+  # It would be nice to target this a bit more specifically.  If we upgrade to
+  # a newer GitLab (13.11?) then we can select exit codes that are allowed.
+  # For now we're stuck with true/false though.
+  # https://whetstone.privatestorage.io/help/ci/yaml/README.md#allow_failure
+  allow_failure: true
   script:
     - "ci-tools/vulnerability-scan security-report.txt"
   artifacts:
diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index 04058db1079301298a2e1eeea24085fb31b490dd..94cfd3f84cf83f700c250ee047f6c16e975a5e02 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -26,14 +26,15 @@ if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
   ln -s "$object" scan-target
 else
   echo "$morph_result"
-  # Signal to the GitLab CI configuration this is a non-recoverable failure.
+
+  # exit status 0-3 reserved for vulnix result.
   exit 4
 fi
 '
 
 # vulnix exits with an error status if there are vulnerabilities.  We told
 # GitLab to allow this by setting `allow_failure` to true in the GitLab CI
-# config.
-set +e
+# config.  vulnix exit status indicates what vulnix thinks happened.  If we
+# upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
+# based on this.
 nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
-exit $?