Add malware OR path to GroupedFindingsEvaluator behind feature flag
What does this MR do and why?
Adds the malware OR path to Security::ScanResultPolicies::GroupedFindingsEvaluator and introduces the security_policies_malware_attribute feature flag (this is its first Feature.enabled? consumer).
When a scanner is marked is_malicious: true (and the flag is enabled), a malicious-only finder runs alongside the standard filter result and the results are OR'd: the malicious branch builds finder params with only { scanners:, malicious: true, related_pipeline_ids: } and returns a result with vulnerabilities_allowed: 0. Omitting the severity/state filters is what makes a malware finding block the MR regardless of the rule's other criteria, while the standard filters still surface their own violations independently. With the flag off, behaviour is unchanged.
References
- Part of #19465 (moved) (epic: MR Approval Malware Policy)
- Closes #601959 (closed)
- Introduces feature flag
security_policies_malware_attribute(gitlab_com_derisk, default off) - Consumes the
malicious:finder filter from #601956 (closed); unblocks the frontend flag work in #601960 (closed)
Screenshots or screen recordings
Not applicable — backend-only change.
How to set up and validate locally
- Enable the flag in the Rails console:
Feature.enable(:security_policies_malware_attribute) - Configure an approval policy rule with a scanner marked
is_malicious: true. - Run a pipeline that produces a malware finding and confirm the MR is blocked even when the rule's severity/state filters would not match.
- Disable the flag and confirm behaviour is unchanged.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.