SAST vulnerabilities are not being surfaced in MR view and IaC scanning floods results

When the IaC scanner (kics) is enabled along with the SAST scanner (semgrep), the vulnerability Merge Request View does not display the SAST scanner results, just the IaC ones.

include:
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/SAST-IaC.gitlab-ci.yml

Introduce an MR with both SAST and IaC vulnerabilities
Wait for the pipeline to complete
Take a look at the MR view and notice that no SAST vulnerabilities are displayed, but there are many IaC vulnerabilities
Open the Full Report
Scroll to the bottom and notice some SAST vulnerabilities from Semgrep/bandit/etc. detected

Regular SAST vulnerabilities are not displayed along with IaC vulnerabilities in the MR-view. Note: both are present in the full-report.

Both SAST and IaC vulnerabilities should be present in the MR-view and full report.

Viewing the MR view scanner widget
view-mr-vulns

Full report of the same MR
full-report

This bug happens on GitLab.com

I believe this may be caused by the gl-sast-report.json report either being overwritten or not generated properly.

My suggestion for the best experience would be to separate SAST scanner results from IaC scanner results. I suggest this because:

SAST vulnerabilities may be handled by different personas than IaC vulnerabilities (AppSec vs. Infra team)
The separation makes it easy to make a plan on what to resolve
IaC vulnerabilities are unique to infrastructure

Edited May 24, 2023 by Fern