Unable to view SAST Scan Reports in Pipeline View

Unable to view SAST Scan Reports in Pipeline View

I am using an external (veracode) security scanner to generate a SAST report which I am uploading as an artifact to after a CI job. When I look under the security tab in in the pipeline it shows that a scan has been completed, but there are no vulnerabilities.

However when I look at the security dashboard, it shows the actual vulnerabilities (as there are indeed some). I was only able to get this to show in the dashboard by changing the default branch to the one I was running the pipeline on.

Here is the job I am using.

sast-pipeline-scan:
  image: veracode/pipeline-scan
  stage: test
  dependencies:
    - "Build Application"
  variables:
    SCAN_TIMEOUT: 60
    VERACODE_POLICY: "Veracode Recommended High + SCA"
  script:
    - java -jar /opt/veracode/pipeline-scan.jar
      --veracode_api_id "${VERACODE_API_ID}"
      --veracode_api_key "${VERACODE_API_SECRET}"
      --file "${APK}"
      --project_name "${CI_PROJECT_PATH}"
      --project_url "${CI_REPOSITORY_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --timeout "${SCAN_TIMEOUT}"
      --policy_name "${VERACODE_POLICY}"
      --gl_vulnerability_generation true
  tags:
    - ec2
  allow_failure: true
  artifacts:
    when: always
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
    paths:
    - results.json
    reports:
      sast: veracode_gitlab_vulnerabilities.json
    expire_in: 1 week
  cache: {}

The artifact appears to upload (and it registers in the dashboard)

The json output appears to be in the correct format (assume this also as it can be seen in the dashboard) but I cannot seem to see a reason why, within the job it reports having zero vulnerabilities.

Any help would be greatly appreciated!

Currently running 13.10.2-ee (cc4224220e6) and we have a trial Ultimate license.