diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index c252a303c1ffd7fac589fa3d42c4d4883478564e..a2b2d6c9c02eb90c48ee9613deb65e8172e6dd28 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -35,4 +35,5 @@ fi
 # GitLab to allow this by setting `allow_failure` to true in the GitLab CI
 # config.
 set +eo pipefail
-nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
+status=$(nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT")
+exit $status