diff --git a/.github/workflows/polaris.yaml b/.github/workflows/polaris.yaml
index 7397c2f1d5..0157e1f998 100644
--- a/.github/workflows/polaris.yaml
+++ b/.github/workflows/polaris.yaml
@@ -26,7 +26,7 @@ jobs:
         polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
         polaris_application_name: ${{ github.event.repository.name }}
         polaris_project_name: ${{ github.repository_owner }}
-        polaris_assessment_types: "SCA,SAST"
+        polaris_assessment_types: "SAST"
         # polaris_waitForScan: false  # Used to support the async mode
         # project_directory: ${{ vars.PROJECT_DIRECTORY }}
 
@@ -78,7 +78,7 @@ jobs:
         polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
         polaris_application_name: ${{ github.event.repository.name }}
         polaris_project_name: ${{ github.repository_owner }}
-        polaris_assessment_types: "SCA,SAST"
+        polaris_assessment_types: "SAST"
         # project_directory: ${{ vars.PROJECT_DIRECTORY }}
 
         ### Uncomment this to use Source Upload method. Default value is hybrid (build based)
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 95f86ca023..8f52d48266 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -29,6 +29,7 @@
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -101,4 +102,48 @@ private AttackResult checkArguments(String username_reg, String email_reg, Strin
     }
     return null;
   }
+
+  /**
+   * VULNERABLE ENDPOINT - Demonstrates SQL Injection vulnerability This endpoint is intentionally
+   * vulnerable to demonstrate security scanning
+   */
+  @GetMapping("/SqlInjectionAdvanced/searchUser")
+  @ResponseBody
+  public AttackResult searchUser(@RequestParam("searchTerm") String searchTerm) {
+    try (Connection connection = dataSource.getConnection()) {
+      // VULNERABILITY: SQL Injection - Direct string concatenation
+      String vulnerableQuery =
+          "SELECT userid, email FROM sql_challenge_users WHERE userid LIKE '%"
+              + searchTerm
+              + "%' OR email LIKE '%"
+              + searchTerm
+              + "%'";
+
+      Statement statement = connection.createStatement();
+      ResultSet resultSet = statement.executeQuery(vulnerableQuery);
+
+      StringBuilder results = new StringBuilder();
+      int count = 0;
+      while (resultSet.next()) {
+        results
+            .append("User: ")
+            .append(resultSet.getString("userid"))
+            .append(", Email: ")
+            .append(resultSet.getString("email"))
+            .append("\n");
+        count++;
+      }
+
+      if (count > 0) {
+        return success(this)
+            .feedback("Found " + count + " user(s):\n" + results.toString())
+            .build();
+      } else {
+        return success(this).feedback("No users found matching: " + searchTerm).build();
+      }
+    } catch (SQLException e) {
+      log.error("SQL error in searchUser", e);
+      return failed(this).output("Database error: " + e.getMessage()).build();
+    }
+  }
 }