Part of epic **MR Approval Malware Policy** (gitlab-org/gitlab#19465). PoC: gitlab-org/gitlab!235643. ## Goal Provide the data layer to identify malware findings and a finder mode to fetch only them. ## Scope - `Vulnerabilities::MalwareDetection::MALICIOUS_PACKAGE_IDENTIFIER_PREFIXES = %w[GLAM- MAL-].freeze` (GLAM- canonical analyzer prefix; MAL- customer-facing display prefix). - `Security::Finding.malicious` scope — JSONB `EXISTS` over `finding_data->'identifiers'` where `external_id LIKE 'GLAM-%' OR LIKE 'MAL-%'`. - `Security::ScanResultPolicies::FindingsFinder` `malicious: true` — a **composable boolean filter** that applies the `.malicious` scope alongside the other filters. **No superseding early-return**: the finder stays free of business logic; the "malicious supersedes other filters" behavior is owned by the caller (#601959). - No feature flag (pure query capability; unreachable while flag off). ## Reviewer notes (from PoC, @mc_rocha) - Include the **full SQL query** in the MR description (Danger requires it for new scopes). - Evaluate JSONB `EXISTS` performance / indexing. - **Backend review on !239123 ([note](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/239123#note_3434313509)):** rename param `malicious_only` → `malicious` and keep the finder a pure, reusable filter (`findings = findings.malicious if params[:malicious]`). Supersede/business logic moves to `GroupedFindingsEvaluator` (#601959). ## Acceptance criteria - [ ] `.malicious` returns only malware findings. - [ ] `malicious: true` applies `.malicious` and composes with the scanner (and other) filters — no early-return/superseding inside the finder. ## Tests - Scope spec; finder spec. ## Dependencies None. Feeds the Evaluator issue.