Container Scanning exits with success status when vulnerabilities are found

Summary

I've just discovered that the GitLab Container Scanning tool is exiting with a success status code of 0 regardless of whether vulnerabilities have been found or not.

In a Container Scanning job which uses the default settings, this won't have much of an impact, but if a user were to override the allow_failure option and set it to false, then the job would not fail as expected.

Steps to reproduce

Create a new project a .gitlab-ci.yml file containing :

include:
  - template: Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CI_APPLICATION_REPOSITORY: "alpine"
    CI_APPLICATION_TAG: "3.9.2"
    DOCKER_USER: ""
    DOCKER_PASSWORD: ""
  allow_failure: false

Example Project

https://gitlab.com/adamcohen/test-allow-failure-in-cs/-/tree/test-allow-failure

What is the current bug behavior?

Container Scanning job succeeds

What is the expected correct behavior?

Container Scanning job fails

Relevant logs and/or screenshots

https://gitlab.com/adamcohen/test-allow-failure-in-cs/-/jobs/479147073

 [ERRO] ▶ Image [alpine:3.9.2] contains 1 unapproved vulnerabilities
 +------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
 | STATUS     | CVE SEVERITY        | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION                                               |
 +------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
 | Unapproved | High CVE-2019-14697 | musl         | 1.1.20-r3       | musl:1.1.20-r3 is affected by CVE-2019-14697                  |
 |            |                     |              |                 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697 |
 +------------+---------------------+--------------+-----------------+---------------------------------------------------------------+
Running after script
Uploading artifacts for successful job
 Uploading artifacts...
 gl-container-scanning-report.json: found 1 matching files 
 Uploading artifacts to coordinator... ok            id=478894136 responseStatus=201 Created token=ANXWvwFC
 Job succeeded

The above job should fail, but it succeeds.

Output of checks

This bug happens on GitLab.com

Edited by Adam Cohen