The documentation regarding disabling predefined rules (in SAST) needs improvement

Problem to solve

The documentation regarding disabling predefined rules (in SAST) needs improvement.

Specifically, the following (bold font) might lead to misunderstanding and is not entirely accurate:

When you disable a rule:

• Most analyzers still scan for the vulnerability. The results are removed as a processing step after the scan completes, and they don’t appear in the gl-sast-report.json artifact.
• Findings for the disabled rule no longer appear in the pipeline security tab.
• Existing findings for the disabled rule on the default branch are marked as No longer detected in the vulnerability report.

The Semgrep-based analyzer handles disabled rules differently:

• To improve performance, the Semgrep-based analyzer doesn’t scan for disabled rules at all.
• If you disable a rule in the Semgrep-based analyzer, existing vulnerability findings for that rule are automatically resolved after you merge the sast-ruleset.toml file to the default branch.

In fact,

1. If a single rule is disabled (via [[semgrep.ruleset]]), semgrep still use it, like the doc says -- Most analyzers still scan for the vulnerability. The results are removed as a processing step after the scan completes, and they don’t appear in the gl-sast-report.json artifact.
2. If custom rulesets are used, predefined rulesets (rule files) will be replaced, which means that semgrep will not use predefined rulesets.

Expectation

The documentation needs to be updated to reflect Facts 1 and 2 accurately.

Related issues

https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/424+s