BUG: CodeQL default config not identified

[joycebrum]

Describe the bug
I've run into a scenario where the project was running CodeQL by using the default configuration

Then looking into the runs on Actions, I've noticed it was running CodeQL check on all commits and PRs https://github.com/protocolbuffers/protobuf/actions/workflows/github-code-scanning/codeql

But since there is no config yml file for this action run, the score for the project in SAST check is 0/10

Reproduction steps
Steps to reproduce the behavior:

1. Scorecard version: 4.11.0
2. Open https://github.com/protocolbuffers/protobuf/actions/workflows/github-code-scanning/codeql to see if it is running CodeQL
3. Run scorecard --repo=protocolbuffers/protobuf --checks=SAST --show-details

Expected behavior
Since the project is indeed running SAST for all commits, this should be identified.

Additional context
In this specific scenario, it is not running for all available programing languages, but I believe Scorecard is not considering this to grant a score currently. In this case, I'd say protocolbuffers/protobuf should score 10/10 in SAST.

[spencerschrock]

I believe this is because they don't merge PRs. And Scorecard currently looks for SAST tools before merging. some discussion here:
#1580 (comment)

[joycebrum]

Hmm, it can be the case then. If I find any similar scenario that do merge PRs, I can bring here. Otherwise, I believe this can be solved for now.

[joycebrum]

Actually, I have one question: why it need to be merged to the SAST run to be considered? The Security Dashboard will be filled with the findings anyway right? and occasionally can be fixed because of that.

[spencerschrock]

My understanding is it's to find bugs before they're merged, not after.
@laurentsimon for historical context, was this right ?