grype --fail-on: Gate the Build on Severity
grype --fail-on <severity> exits non-zero when any vulnerability at or above that severity is found, turning the scan into a gate.
By default grype reports and exits 0. --fail-on is the single flag that converts a report into a pass/fail check on the severity threshold you choose.
What it does
grype --fail-on negligible|low|medium|high|critical sets the lowest severity that triggers a non-zero exit. Anything at or above that level fails the step. Combined with --only-fixed and ignore rules, it scopes the gate to issues you actually want to block on.
Common usage
grype myorg/app:ci --fail-on high
grype myorg/app:ci --fail-on critical --only-fixed
# allowlist specific CVEs in .grype.yaml, then gate
grype myorg/app:ci --fail-on high -c .grype.yamlOptions
| Flag | What it does |
|---|---|
| --fail-on <severity> | Exit non-zero at or above this severity |
| --only-fixed | Only count vulnerabilities that have a fix |
| -c, --config <file> | Config file with ignore rules (.grype.yaml) |
| --by-cve | Match and report by CVE rather than vendor ID |
| -q, --quiet | Suppress the progress UI for clean CI logs |
In CI
Use --fail-on high to block merges on high and critical findings, and --only-fixed so the gate covers what you can patch. Maintain ignore rules in a committed .grype.yaml (with vulnerability IDs and an optional expiry) so suppressions are reviewed, mirroring the .trivyignore pattern.
Common errors in CI
A pipeline that ignores known CVEs forgot --fail-on (grype exits 0 without it). A noisy gate is missing --only-fixed or has the threshold too low. If an ignore rule does not apply, check that .grype.yaml is found (pass -c explicitly) and that the rule matches the exact vulnerability ID grype reports.