Clarify when kics scanner cannot scan Helm chart templates

Proposal

Make it clear that the kics scanner (as part of the SAST IaC scanner) cannot scan Helm chart templates. This could be done by emitting a warning in the SAST job output.

Doing so would prevent users from having a false sense of security, in case it is assumed that the templates would be scanned, and interpret the lack of results to mean that the templates contain no vulnerabilities.

Background

kics, right now, is not capable of scanning these. It attempts to, but outputs an error which looks like this:

ERR failed to parse file content: /builds/path/to/build/dir/templates/template.yaml error="failed to parse yaml: invalid yaml"

This makes sense, as the files are (intentionally) not valid YAML, but have the .yaml file extension. The error is visible in SAST IaC jobs now if the log level is set to debug. With the default log level, this is not shown, and there is no indication that the template files have been skipped.

Additionally, this was only tested with YAML templates. I am uncertain what the current behavior is with .tpl Helm chart templates.

Related issues

This was brought to my attention by a large, Ultimate customer in a Support ticket (internal). GitLab team members can see details in the ticket.

There is also an issue in the upstream repo: https://github.com/Checkmarx/kics/issues/7161