test: tighten pickle safe builtin assertions

mldangelo · mldangelo · commit 92d97dc2df39 · 2026-03-13T18:38:47.000-04:00
diff --git a/tests/scanners/test_pickle_scanner.py b/tests/scanners/test_pickle_scanner.py
@@ -701,9 +701,30 @@ def test_safe_builtins_remain_allowlisted(self) -> None:
             result = self._scan_bytes(self._craft_global_reduce_pickle("builtins", safe_builtin))
 
             assert result.success
+            assert not result.has_warnings
             assert not result.has_errors, (
                 f"Expected builtins.{safe_builtin} to remain non-failing, got: {[i.message for i in result.issues]}"
             )
+            passed_global_checks = [
+                check
+                for check in result.checks
+                if check.name == "Global Module Reference Check" and check.status == CheckStatus.PASSED
+            ]
+            assert any(f"builtins.{safe_builtin}" in check.message for check in passed_global_checks), (
+                f"Expected passed Global Module Reference Check for builtins.{safe_builtin}, "
+                f"got: {[check.message for check in passed_global_checks]}"
+            )
+            passed_reduce_checks = [
+                check
+                for check in result.checks
+                if check.name == "REDUCE Opcode Safety Check" and check.status == CheckStatus.PASSED
+            ]
+            assert any(
+                check.details.get("associated_global") == f"builtins.{safe_builtin}" for check in passed_reduce_checks
+            ), (
+                f"Expected passed REDUCE check for builtins.{safe_builtin}, "
+                f"got: {[check.details for check in passed_reduce_checks]}"
+            )
 
     def test_dangerous_builtins_still_fail(self) -> None:
         """Dangerous builtins must continue to fail after allowlist tightening."""
