Security stuff is interesting even in the case where all your employees are saints.
If you are building a docker image for example, you likely are doing a pull from docker hub, the security scanning software can help you catch security issues there.
It can also help with things like dependencies in your node projects, python projects and more (at least, that is what the security scanning software we use at $work does, I assume gitlab is similar).
It's not about employees pushing malicious code, it's about catching issues with dependencies further up the stack, to make sure that the end result you are pushing to your servers/users is not vulnerable.
If you are building a docker image for example, you likely are doing a pull from docker hub, the security scanning software can help you catch security issues there.
It can also help with things like dependencies in your node projects, python projects and more (at least, that is what the security scanning software we use at $work does, I assume gitlab is similar).
It's not about employees pushing malicious code, it's about catching issues with dependencies further up the stack, to make sure that the end result you are pushing to your servers/users is not vulnerable.