SAST documentation missing configuration guidance for CI/CD catalog components

Summary

The SAST documentation for excluding files/paths only covers configuration via CI/CD variables when using classic include: template: syntax.

It does not explain how to achieve the same configuration when using CI/CD Catalog Components, which require inputs instead of variables.

Problem

As more customers adopt CI/CD catalog components (including self-authored components in their internal catalogs, like the customer who reported this), they follow the SAST docs to configure exclusions using SAST_EXCLUDED_PATHS as a CI/CD variable - but this approach does not work with components.

Components use the inputs mechanism defined in their spec: section, which is a fundamentally different configuration pattern compared to CI templates.

https://docs.gitlab.com/user/application_security/sast/#exclude-files-or-paths-from-being-scanned

Impact

  • Customers / users migrating from CI templates to CI/CD Components cannot easily find how to configure SAST exclusions (and other settings) in the official docs.
    • This affects both GitLab-maintained components (gitlab.com/components/sast) and customer-authored internal catalog components.
  • The gap creates confusion and increases support burden, especially for enterprise customers building internal CI/CD catalogs.

The following Ultimate customer (2000 seats) on GitLab Self Managed 18.8.2 reported the issue to CS team:

SLACK Ref: https://gitlab.slack.com/archives/C019R5JD44E/p1770735365123399

Expected behavior

The SAST documentation page should include a dedicated section (or parallel examples) showing how to configure SAST settings - especially file/path exclusions - when using CI/CD Catalog Components via the inputs mechanism, alongside the existing template-based instructions.

Suggested fix

Add a note or subsection under Exclude files or paths from being scanned that:

  1. Explains that when using CI/CD components instead of CI templates, configuration is done via inputs: (not variables:).
  2. Provides an equivalent example using component syntax.
Edited by Manuel Kraft