Skip to content
Latchkey

grype --fail-on: Gate the Build on Severity

grype --fail-on <severity> exits non-zero when any vulnerability at or above that severity is found, turning the scan into a gate.

By default grype reports and exits 0. --fail-on is the single flag that converts a report into a pass/fail check on the severity threshold you choose.

What it does

grype --fail-on negligible|low|medium|high|critical sets the lowest severity that triggers a non-zero exit. Anything at or above that level fails the step. Combined with --only-fixed and ignore rules, it scopes the gate to issues you actually want to block on.

Common usage

Terminal
grype myorg/app:ci --fail-on high
grype myorg/app:ci --fail-on critical --only-fixed
# allowlist specific CVEs in .grype.yaml, then gate
grype myorg/app:ci --fail-on high -c .grype.yaml

Options

FlagWhat it does
--fail-on <severity>Exit non-zero at or above this severity
--only-fixedOnly count vulnerabilities that have a fix
-c, --config <file>Config file with ignore rules (.grype.yaml)
--by-cveMatch and report by CVE rather than vendor ID
-q, --quietSuppress the progress UI for clean CI logs

In CI

Use --fail-on high to block merges on high and critical findings, and --only-fixed so the gate covers what you can patch. Maintain ignore rules in a committed .grype.yaml (with vulnerability IDs and an optional expiry) so suppressions are reviewed, mirroring the .trivyignore pattern.

Common errors in CI

A pipeline that ignores known CVEs forgot --fail-on (grype exits 0 without it). A noisy gate is missing --only-fixed or has the threshold too low. If an ignore rule does not apply, check that .grype.yaml is found (pass -c explicitly) and that the rule matches the exact vulnerability ID grype reports.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →