Going a step further, GitLab can show the vulnerability list right in the merge request widget area.
If you distribute your application with Docker, then there's a great chance that your image is based on other Docker images that may in turn contain some known vulnerabilities that could be exploited.
Having an extra job in your pipeline that checks for those vulnerabilities, and the fact that they are displayed inside a merge request, makes it very easy to perform audits for your Docker-based apps.
In order for the report to show in the merge request, you need to specify a
sast:container job (exact name) that will analyze the code and upload the
gl-sast-container-report.json file as an artifact (exact filename).
GitLab will then check this file and show the information inside the merge request.
This JSON file needs to be the only artifact file for the job. If you try to also include other files, it will break the vulnerability display in the merge request.
For more information on how the
sast:container job should look like, check the
example on analyzing a Docker image for vulnerabilities.