Advanced SAST GA - Disabled by default and when enabled, only on supported languages

We are splitting the GA rollout of GitLab Advanced SAST into two separate pieces:

1. Make the engine available, with Generally Available maturity, on an opt-in basis.
   • This will happen in %17.3 or soon after.
2. Change Ultimate users to GitLab Advanced SAST by default.
   • This will happen in %18.0 unless we seek and receive an exception for an off-cycle breaking change.

During the opt-in phase:

• We will start out by adding the Advanced SAST analyzer, covering only languages where we've enabled Advanced SAST
• Existing analyzers will cover the same languages they do today, until Advanced SAST is ready to take them over. We will not remove any analyzers yet.
• We will introduce a CI/CD variable to control whether Advanced SAST is used at all. When users set this variable:
  • The Advanced SAST job will run.
  • Other jobs will be told to skip languages that Advanced SAST supports.

After Advanced SAST is on by default, we will revisit which analyzers cover which languages, with a goal of having a single analyzer for as many languages as possible in Ultimate.

issues:

• Tell Semgrep not to scan languages that we are currently scanning with Advanced SAST - Python, Go, Java, JavaScript, TypeScript, C#. (See Enable GitLab Advanced SAST (cross-file, cross-... (&14312) for further progress.)
• Add a CI/CD variable for enabling Advanced SAST, which is disabled by default.
  • Proposed name: SAST_ENABLE_ADVANCED. This is because GitLab SAST configs are prefixed SAST_, we should use positive names (enable, not disable), and SAST_ENABLE_ADVANCED_SAST would say "SAST" twice. Alternatives welcome.