Docs feedback: SAST runs only on branches

The default implementation of the SAST template runs only on branches, as seen in any of the rules directives:

    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/

https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L215-216

This isn't quite documented and, if you follow one of the two provided workflow rules templates, you'll be surprised to have no security scan jobs created in your pipelines, despite including the template.

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

https://docs.gitlab.com/ee/ci/yaml/#workflowrules-templates

I guess that's because CI_COMMIT_BRANCH is undefined in MRs.

Not present in merge request pipelines or tag pipelines.

https://docs.gitlab.com/ee/ci/variables/predefined_variables.html

I can customize the job definition, which I figured out thanks to the docs that already exist, but it's odd and seems like something that could be documented explicitly or added to the SAST template.

security-code-scan-sast:
  rules:
    - if: $CI_MERGE_REQUEST_IID &&
        $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
      exists:
        - '**/*.csproj'
        - '**/*.vbproj'