Research SAST flow

SAST is mentioned multiple times in the context of this epic, and it's a relatively simple (and hopefully widely adopted) feature. I'd like to start with understanding how SAST works so we could make suggestions on where to add the instrumentation for this feature.

This issue serves to document the flow of the SAST feature from end to end, specifically from user pushing a commit in a MR until a vulnerability finding is shown in the MR.

References:

• https://docs.gitlab.com/ee/user/application_security/sast/index.html
• https://docs.gitlab.com/ee/development/sec/security_report_ingestion_overview.html#scan-runs-in-a-pipeline-for-a-non-default-branch