Simplify SAST component to match CI template (!34) · Merge requests · GitLab components / SAST

What does this MR do and why?

Simplifies the SAST component logic, introduced by Upgrade to latest rules (!27 - merged) • Klok, to match the semgrep-sast job from the SAST.gitlab-ci.yml template.

When a single *.php file exists:

and run_advanced_sast: true is set:

Both the gitlab-advanced-sast and semgrep-sast jobs are present: pipeline.

note: in this case, the ideal behaviour is to only run a single gitlab-advanced-sast job, and the semgrep-sast job should not be present, however, due to the concerns pointed out in Refactor php-related SAST rules (gitlab-org/gitlab#559997 - closed) • Adam Cohen • 18.4, we've decided to implement this behaviour for now.
and run_advanced_sast: false is set:

Only a single semgrep-sast job is present: pipeline

Edited Aug 05, 2025 by Adam Cohen