diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml
index 6c34abd..2ad3c35 100644
--- a/.github/workflows/pr-validate.yml
+++ b/.github/workflows/pr-validate.yml
@@ -48,8 +48,8 @@ jobs:
           image-ref: trust-pkg-stagex:pr-${{ github.event.pull_request.number }}
           format: sarif
           output: trivy-results.sarif
-          severity: CRITICAL,HIGH
-          exit-code: "0"
+          severity: CRITICAL
+          exit-code: "1"
 
       - name: Upload SARIF to GitHub Security
         if: always()
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 70cee89..a7a6a2f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -118,8 +118,8 @@ jobs:
           image-ref: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
           format: sarif
           output: trivy-results.sarif
-          severity: CRITICAL,HIGH
-          exit-code: "0"
+          severity: CRITICAL
+          exit-code: "1"
 
       - name: Upload SARIF to GitHub Security
         if: always()