Change steps and encourage MRs in appsec Getting Started guide

What does this MR do?

Change "Get started" guidance:

• From "commit directly to your default branch"
• To "create an MR with configuration changes and verify them before merging to your default branch"

Why? Direct changes to the default branch are highly disruptive and may violate organizations' code review requirements. We explicitly warn against making direct changes on the default branch in every scanner documentation page (!90106 (merged)), so we shouldn't encourage this practice in getting-started intro content.

While in the area:

• Introduce more conceptual background up front, instead of in sub-bullets
• Introduce a step about choosing a good testing project
• Suggest monitoring vuln trends before implementing a scan result policy

There's more that could be done, but I hit my timebox. For example:

• It would probably be worth cutting the steps into more limited phases. For example, you might stop after implementing scan result policies for SD and DS, rather than going all the way through to enabling every security feature and enforcing its execution.
• Scheduled pipelines are probably way less useful now that we have Continuous Vulnerability Scanning. The guidance there may now also be incorrect.
• We could be more opinionated about which features to enable next, rather than having them all in one bucket ("Enable other scan types such as SAST, DAST, Fuzz testing, or Container Scanning.")
• etc.

Related issues

MR introducing this guidance: !90106 (merged)

Author's checklist

• Optional. Consider taking the GitLab Technical Writing Fundamentals course.
• Follow the:
  • Documentation process.
  • Documentation guidelines.
  • Style Guide.
• If you're adding or changing the main heading of the page (H1), ensure that the product tier badge is added.
• If you are a GitLab team member, request a review based on:
  • The documentation page's metadata.
  • The associated Technical Writer.

If you are a GitLab team member and only adding documentation, do not add any of the following labels:

• ~"frontend"
• ~"backend"
• ~"type::bug"
• ~"database"

These labels cause the MR to be added to code verification QA issues.

Reviewer's checklist

Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.

If you aren't sure which tech writer to ask, use roulette or ask in the #docs Slack channel.

• If the content requires it, ensure the information is reviewed by a subject matter expert.
• Technical writer review items:
  • Ensure docs metadata is present and up-to-date.
  • Ensure the appropriate labels are added to this MR.
  • Ensure a release milestone is set.
  • If relevant to this MR, ensure content topic type principles are in use, including:
    • The headings should be something you'd do a Google search for. Instead of Default behavior, say something like Default behavior when you close an issue.
    • The headings (other than the page title) should be active. Instead of Configuring GDK, say something like Configure GDK.
    • Any task steps should be written as a numbered list.
    • If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
• Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review.