In the GitLab documentation the header of the page about Static Application Security Testing says “All tiers”. Yet in the free or premium tier I haven’t been able to find anything useful about this feature.
In the 8th paragraph of the SAST documentation, there’s a “Summary of features per tier” comparison. Only then it becomes obvious that in the free and premium tiers, the functionality is absolutely useless. Yes, you can configure SAST jobs within your pipelines, either using standard GitLab jobs or writing one from scratch. Yes, you can store the JSON report as a pipeline artgifact. Yes, you can download the JSON report. But that can’t seriously be considered a useful feature.
Am I missing something in GitLab which makes the SAST feature on the Premium of Free tiers even the least bit useful? Downloading a JSON report doesn’t count. If not, I believe the “All tiers” badge misleading at best.
By the way, the same goes for Container scanning.