How to activate SAST policy for Merge Request

I have the following policy:

---
scan_execution_policy:
- name: Test SAST Scanning
  description: Testing for usage of features.
  enabled: true
  rules:
  - type: pipeline
    branches:
    - merge_requests
  - type: pipeline
    branches:
    - main
  - type: pipeline
    branches:
    - master
  actions:
  - scan: sast
    tags: []

This wont work with the merge_request pipeline that we build the current tooling is built around with the following rules:

  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

If I change the rule to use * instead for the branches it will run but in a separate pipeline like this:

So question is do I need to change the rule to run in not merge request and use branches instead (or another way):

  only:
    - branches

Or can I change the policy to trigger so the sast, dast and whatnot is running in the same pipeline instead of 2 separate pipelines?

There is no option.

branches:
    - merge_requests

I am not sure it can be applied to MR pipelines. But since you have a paid subscription I suggest to reach out to GitLab Support at support.gitlab.com where you will get faster and more qualified reply. This is just a community forum and not an official support channel.