Security secret detection scan doesn't pick up remote ruleset

Summary

The documentation describes how a ruleset from a remote repository can be used to for secret detection scans. But remote rulesets seem to be ignored.

Steps to reproduce

1. Create a public project
2. Add a new file .gitlab/secret-detection-ruleset.toml with content:

   [secrets]
     [[secrets.ruleset]]
       disable = true
       [secrets.ruleset.identifier]
         type = "gitleaks_rule_id"
         value = "RSA private key"

3. Add a new file .gitlab-ci.yml with content:

   include:
     template: Jobs/Secret-Detection.gitlab-ci.yml

4. Create a new MR on the project that introduces a new file privatekey with content:

   -----BEGIN RSA PRIVATE KEY-----
   123
   -----END RSA PRIVATE KEY-----

5. Wait for the pipeline to finish and check out the pipeline Security tab
6. There should be no vulnerability because it got filtered out by the ruleset. This shows that a local rulest works.
7. Create a new project.
8. Add a new file .gitlab-ci.yml with content and replace {{PATH_TO_YOUR_RULESET_PROJECT}} with the path to your ruleset project:

   include:
     template: Jobs/Secret-Detection.gitlab-ci.yml
   variables:
     SECRET_DETECTION_RULESET_GIT_REFERENCE: 'gitlab.com/{{PATH_TO_YOUR_RULESET_PROJECT}}'

9. Create a new MR on the project that introduces a new file privatekey with content:

   -----BEGIN RSA PRIVATE KEY-----
   123
   -----END RSA PRIVATE KEY-----

10. Wait for the pipeline to finish and check out the pipeline Security tab
11. It shows a new vulnerability even though the remote ruleset file should filter it out.

Example Project

https://gitlab.com/gitlab-org/govern/security-policies/andys-test-group/refine-issue-422946/secret-detection