SAST report doesn't work for merged results pipelines

Summary

When pipeline for merged results is active SAST report is skipped

Steps to reproduce

Activate pipelines for merged results and include SAST report according to documentation:

include:
  - template: Security/SAST.gitlab-ci.yml

Example Project

Here is the example pipeline: https://gitlab.com/petr.plenkov/gitlab-sast-to-sonarqube/-/pipelines/419624044

What is the current bug behavior?

Current template is checking $CI_COMMIT_BRANCH which is not declared in case of merged results

What is the expected correct behavior?

When merged results pipelines are active SAST report analyzes the merged state and indicates possible vulnerabilities which code may have after merge