Issues from vulns default to confidential

app/controllers/projects/issues_controller.rb

@@ -105,7 +105,7 @@ class Projects::IssuesController < Projects::ApplicationController
     build_params = issue_create_params.merge(
       merge_request_to_resolve_discussions_of: params[:merge_request_to_resolve_discussions_of],
       discussion_to_resolve: params[:discussion_to_resolve],
-      confidential: !!Gitlab::Utils.to_boolean(params[:issue][:confidential])
+      confidential: issue_create_params[:confidential] || !!Gitlab::Utils.to_boolean(params[:issue][:confidential])
     )
     service = ::Issues::BuildService.new(project, current_user, build_params)
 

ee/changelogs/unreleased/296776-issues-created-from-vulnerabilities-set-to-confidential-by-defa.yml

+---
+title: Issues created from Vulnerabilities set to Confidential by default
+merge_request: 52127
+author:
+type: changed

ee/spec/controllers/projects/issues_controller_spec.rb

@@ -69,11 +69,19 @@ RSpec.describe Projects::IssuesController do
           let(:vulnerability) { create(:vulnerability, project: project, findings: [finding]) }
           let(:vulnerability_field) { "<input type=\"hidden\" name=\"vulnerability_id\" id=\"vulnerability_id\" value=\"#{vulnerability.id}\" />" }
 
+          subject { get :new, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability.id } }
+
           it 'sets the vulnerability_id' do
-            get :new, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability.id }
+            subject
 
             expect(response.body).to include(vulnerability_field)
           end
+
+          it 'sets the confidential flag to true by default' do
+            subject
+
+            expect(assigns(:issue).confidential).to eq(true)
+          end
         end
       end