diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml
index 4a5dece..ca398e1 100755
--- a/.github/workflows/build-test-publish.yml
+++ b/.github/workflows/build-test-publish.yml
@@ -157,6 +157,11 @@ on:
         default: false
         required: false
         type: boolean
+      npm_audit_severity_threshold:
+        description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
+        default: "moderate"
+        required: false
+        type: string
       trivy_severity:
         description: "minimum severity level for trivy (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
         default: "MEDIUM,HIGH,CRITICAL"
@@ -226,6 +231,7 @@ jobs:
       runner: ${{ inputs.runner }}
       semgrep_rules: ${{ inputs.semgrep_rules }}
       npm_audit_omit_dev: ${{ inputs.npm_audit_omit_dev }}
+      npm_audit_severity_threshold: ${{ inputs.npm_audit_severity_threshold }}
   test_and_build:
     needs: [lint, security_scan_source]
     if: |
diff --git a/.github/workflows/npm-audit-autofix.yml b/.github/workflows/npm-audit-autofix.yml
index 87f7179..70b1252 100644
--- a/.github/workflows/npm-audit-autofix.yml
+++ b/.github/workflows/npm-audit-autofix.yml
@@ -19,6 +19,11 @@ on:
         default: false
         required: false
         type: boolean
+      severity_threshold:
+        description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
+        default: "moderate"
+        required: false
+        type: string
       runner:
         description: "workflow runner"
         default: "ubuntu-latest"
@@ -90,7 +95,7 @@ jobs:
         if: steps.changes.outputs.has_changes == 'true'
         run: |
           set +e
-          npm audit --audit-level=moderate${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json
+          npm audit --audit-level=${{ inputs.severity_threshold }}${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json
           AUDIT_EXIT=$?
           set -e
 
diff --git a/.github/workflows/security-scan-source.yml b/.github/workflows/security-scan-source.yml
index f85a62b..b62e82b 100644
--- a/.github/workflows/security-scan-source.yml
+++ b/.github/workflows/security-scan-source.yml
@@ -29,6 +29,11 @@ on:
         default: false
         required: false
         type: boolean
+      npm_audit_severity_threshold:
+        description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
+        default: "moderate"
+        required: false
+        type: string
     outputs:
       semgrep_result:
         description: "semgrep scan result"
@@ -163,14 +168,13 @@ jobs:
       - name: npm audit
         id: npm-audit
         if: ${{ inputs.tool == 'npm' }}
-        run: npm audit --audit-level=moderate${{ inputs.npm_audit_omit_dev && '
-          --omit=dev' || '' }}
+        run: npm audit --audit-level=${{ inputs.npm_audit_severity_threshold }}${{ inputs.npm_audit_omit_dev && ' --omit=dev' || '' }}
         continue-on-error: false
 
       - name: yarn audit
         id: yarn-audit
         if: ${{ inputs.tool == 'yarn' }}
-        run: yarn audit --level moderate
+        run: yarn audit --level ${{ inputs.npm_audit_severity_threshold }}
         continue-on-error: false
 
       - name: upload security scan reports
@@ -194,3 +198,4 @@ jobs:
       root_dir: ${{ inputs.root_dir }}
       node_version: "24.15.0"
       omit_dev: ${{ inputs.npm_audit_omit_dev }}
+      severity_threshold: ${{ inputs.npm_audit_severity_threshold }}