diff --git a/ee/app/services/security/ingestion/ingest_reports_service.rb b/ee/app/services/security/ingestion/ingest_reports_service.rb
index ef01b08cdf10e6df2173710e7d6f284e96971b16..b134740f3cc8c46f75e3892cf02c741871415087 100644
--- a/ee/app/services/security/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/security/ingestion/ingest_reports_service.rb
@@ -56,7 +56,11 @@ def ingest(security_scan)
       end
 
       def mark_project_as_vulnerable!
-        project.mark_as_vulnerable!
+        project.mark_as_vulnerable! if ingested_vulnerabilities?
+      end
+
+      def ingested_vulnerabilities?
+        ingested_ids_by_scanner.values.any?(&:present?)
       end
 
       def set_latest_pipeline!
diff --git a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
index 891e7f8070988e56b4242a20a8dcb6161e6daccc..3c995927bd73bf46569c4def3777bf757351bf17 100644
--- a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
+++ b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
@@ -43,6 +43,15 @@
         .and change { project.reload.vulnerability_statistic&.latest_pipeline_id }.to(pipeline.id)
     end
 
+    context 'when ingested reports are empty' do
+      let(:ids_1) { [] }
+      let(:ids_2) { [] }
+
+      it 'does not set has_vulnerabilities' do
+        expect { ingest_reports }.not_to change { project.reload.project_setting.has_vulnerabilities }.from(false)
+      end
+    end
+
     it 'calls ScheduleMarkDroppedAsResolvedService with primary identifier IDs' do
       ingest_reports