Implementing CI/CD for merge request diff - SAST


We have a hosted community edition of gitlab which don’t support SAST.

We want to do few checks before merging an MR like static analysis and left with two options.

  1. Invoke an REST api with project and MR details which could generate diff in MR with command line, do static analysis and return whether MR is mergeable
  2. Do a shell script check in pipeline docker image itself. This is faster because of shell but since everytime a new image is loaded in VM for pipeline should we clone repo and generate diff? Or is there any Environment variable for diff?

There is also a merge request diff api but with version.

What would be the correct approach?