Part of epic **MR Approval Malware Policy** (gitlab-org/gitlab#19465). PoC: gitlab-org/gitlab!235643. ## Goal Build the reusable `MalwareSettings` editor control and expose the feature flag to the frontend. ## Scope - New `ee/.../policy_editor/scan_result/rule/scanners/malware_settings.vue`: section heading + subtle helper + **checkbox (default checked)**, copy to the right of the checkbox (per Design System guidance relayed by `@marissa.henri`; replaces the PoC's `GlToggle`). - i18n strings: `Malware settings`, `Detect malware in this scan`, `When malware is detected, the merge request is automatically blocked.` - Push `security_policies_malware_attribute` to `gon` in `ee/app/controllers/projects/security/policies_controller.rb` and `ee/app/controllers/groups/security/policies_controller.rb`. ## Reconcile (blocking acceptance criterion) "Checkbox default checked" conflicts with the schema/data default `is_malicious: false`. Decide and encode one: - (a) editor writes `is_malicious: true` by default when a DS/CS scanner is added (malware-blocking opt-out), or - (b) checkbox shows checked but only persists `true` on explicit interaction. ## Acceptance criteria - [ ] Renders heading/helper/checkbox; emits `input` on change; respects `value`/`disabled`. - [ ] Component is standalone (not yet mounted into a scanner block). - [ ] FF pushed to gon in both controllers. ## Tests - Jest spec (checkbox variant of the PoC's `malware_settings_spec.js`). ## Dependencies Needs the feature flag, which is introduced in the evaluator issue #601959 (`push_frontend_feature_flag` requires the flag YAML to exist).