diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
index bc5ff630..c7683d88 100644
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -71,6 +71,7 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
         with:
           comment-summary-in-pr: always
+          fail-on-severity: critical
       - name: Sign the image with GitHub OIDC token
         if: ${{ github.event_name != 'merge_group' }}
         # This step uses the GitHub OIDC identity token to provision an ephemeral certificate