Add default SAST scan profile (!226747) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Add default SAST scan profile based on Design: Enablement-only SAST profile (#591552) • Michael Fangman

Changelog: changed
EE: true

How to set up and validate locally

Select a root group g without SAST security scan profiles.

Use this GraphQL query to get the available (default) profiles:

query test {
  group(fullPath: "<g.full_path>") {
    availableSecurityScanProfiles(type: SAST) {
      id
      scanType
      name
      description
      gitlabRecommended
      triggers
    }
  }
}

Verify there is no SAST profiles available.

Use this mutation to attach the default sast profile to the projects under group g, and verify it fails with The resource that you are attempting to access does not exist:

    mutation {
   securityScanProfileAttach(
     input: {
       securityScanProfileId: "gid://gitlab/Security::ScanProfile/sast"
       groupIds: ["gid://gitlab/Group/<g.id>"]
     }
   ) {
     errors
   }
 }

Turn :security_scan_profiles_sast feature flag on:
Feature.enable(:security_scan_profiles_sast)
Using the same query, verify that default SAST profile is returned with the correct name, description and triggers.
Using the same mutation, verify you are able to attach the default SAST profile to projects under g.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Mar 11, 2026 by Gal Katz

Add default SAST scan profile

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports