Be able to choose the latest templates from the scan execution policy configuration

Proposal

We should be able to choose the latest templates from the scan execution policy configuration.

The SAST templates themselves define the jobs to only run in branch pipelines:

This is technically resolved in the latest versions of the templates:

However, we can't choose the latest templates from the scan execution policy configuration.

You can work around this by this unsupported hack of replacing the files on the system itself on a SM instance:

cd /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ci/templates/Jobs/

# Create backups of the files
mv SAST.gitlab-ci.yml SAST.gitlab-ci.yml.ZD391925.2023-06-21
mv SAST-IaC.gitlab-ci.yml SAST-IaC.gitlab-ci.yml.ZD391925.2023-06-21

# Copy latest files and name them accordingly
cp SAST-IaC.latest.gitlab-ci.yml SAST-IaC.gitlab-ci.yml
cp SAST.latest.gitlab-ci.yml SAST.gitlab-ci.yml

But that would end up replacing the file for all instances of including SAST (and will be reverted upon updating GitLab).

Furthermore, we tried to override the rules in the template but that doesn't seem to work, because the GitLab pipeline validation doesn't know about the scan execution policy jobs. If we have something like:

kics-iac-sast:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

semgrep-sast:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

in the project's yaml, GitLab doesn't know where the jobs come from at that time, because adding things through scan execution policy appears to be not like "include:template". So we end up with a jobs kics-iac-sast config should implement a script: or a trigger: keyword error. -->