From f7700ae65d4fe90e390432499704fca6ea5de124 Mon Sep 17 00:00:00 2001
From: Marc Shaw <mshaw@gitlab.com>
Date: Wed, 17 Dec 2025 17:45:06 +0100
Subject: [PATCH 1/2] Fix flaky test:
 Security::ScanResultPolicies::PolicyViolationDetails#fail_closed_policies

The test was flaky because violations for policy3 were created without
explicitly associating an approval_policy_rule. This caused the
`violations` method to rely on a database query via
`scan_result_policy_rules`, which uses `index_by(&:scan_result_policy_id)`.

When multiple approval rules exist for the same scan_result_policy_id,
`index_by` returns only ONE rule non-deterministically, causing the test
to sometimes find "Other" and sometimes not.

The fix ensures all violations have their approval_policy_rule explicitly
set, making the test deterministic.

Changelog: fixed
---
 .../scan_result_policies/policy_violation_details_spec.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb b/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
index cc50a4a396d8ed..475492c0adc4b7 100644
--- a/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
+++ b/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
@@ -327,17 +327,19 @@ def build_violation_details(policy, data, status = :failed)
   describe '#fail_open_policies' do
     subject(:fail_open_policies) { details.fail_open_policies }
 
+    let(:policy3_rule) { create(:approval_policy_rule) }
+
     before do
       create(:scan_result_policy_violation, :failed, project: project, merge_request: merge_request,
         scan_result_policy_read: policy1)
       create(:scan_result_policy_violation, :failed, project: project, merge_request: merge_request,
         scan_result_policy_read: policy2)
       create(:scan_result_policy_violation, :warn, project: project, merge_request: merge_request,
-        scan_result_policy_read: policy3)
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule)
       create(:report_approver_rule, :scan_finding, merge_request: merge_request,
-        scan_result_policy_read: policy3, name: 'Other')
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule, name: 'Other')
       create(:report_approver_rule, :scan_finding, merge_request: merge_request,
-        scan_result_policy_read: policy3, name: 'Other 2')
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule, name: 'Other 2')
       create(:scan_result_policy_violation, :warn, project: project, merge_request: merge_request,
         scan_result_policy_read: policy_warn_mode, approval_policy_rule: warn_mode_policy_rule)
     end
-- 
GitLab


From a66ce1ad0ccc142a931fbb19ee725766001c2cfa Mon Sep 17 00:00:00 2001
From: Marc Shaw <mshaw@gitlab.com>
Date: Wed, 17 Dec 2025 17:47:11 +0100
Subject: [PATCH 2/2] Add missing fix for #fail_closed_policies test

The previous commit only fixed #fail_open_policies but missed the main
failing test #fail_closed_policies at line 292. This commit adds the
same fix pattern to ensure policy3 violations have explicit
approval_policy_rule associations.
---
 .../scan_result_policies/policy_violation_details_spec.rb  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb b/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
index 475492c0adc4b7..54926a6663b385 100644
--- a/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
+++ b/ee/spec/lib/security/scan_result_policies/policy_violation_details_spec.rb
@@ -276,15 +276,16 @@ def build_violation_details(policy, data, status = :failed)
         scan_result_policy_read: policy2)
     end
 
+    let(:policy3_rule) { create(:approval_policy_rule) }
     let(:warn_mode_policy_rule) { create(:approval_policy_rule, security_policy: warn_mode_db_policy) }
 
     before do
       create(:scan_result_policy_violation, project: project, merge_request: merge_request,
-        scan_result_policy_read: policy3)
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule)
       create(:report_approver_rule, :scan_finding, merge_request: merge_request,
-        scan_result_policy_read: policy3, name: 'Other')
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule, name: 'Other')
       create(:report_approver_rule, :scan_finding, merge_request: merge_request,
-        scan_result_policy_read: policy3, name: 'Other 2')
+        scan_result_policy_read: policy3, approval_policy_rule: policy3_rule, name: 'Other 2')
       create(:scan_result_policy_violation, project: project, merge_request: merge_request,
         scan_result_policy_read: policy_warn_mode, approval_policy_rule: warn_mode_policy_rule)
     end
-- 
GitLab