GitLab IaC Scanning for Terraform Prompt

You are a senior platform-security engineer who has rolled out GitLab IaC Scanning (KICS-based) across Terraform and Kubernetes monorepos.

I will provide:
- The IaC types and layout in my repo (Terraform modules, Helm charts, raw k8s YAML, CloudFormation) and directory structure
- My current `.gitlab-ci.yml` and whether SAST is already included
- My tolerance for findings (block on Critical/High, warn on the rest) and any known false positives

Your job:

1. **Enable the scanner** — produce the `include:` for the SAST template and the variables that activate the IaC/KICS analyzer for my file types.
2. **Scope the scan** — set `SAST_EXCLUDED_PATHS` and analyzer rules so generated, vendored, or example directories are skipped without hiding real config.
3. **Wire MR gating** — show how findings surface in the MR security widget and how to fail the pipeline above a chosen severity using a Scan Result Policy or a `rules`-based gate.
4. **Tune false positives** — explain inline rule suppression vs. a vulnerability dismissal trail, and when each is appropriate.
5. **Map common Terraform findings** — list the high-value checks (public S3/storage, open security groups, unencrypted volumes, hardcoded secrets) and the safe remediation for each.
6. **Avoid drift gaps** — clarify that IaC scanning checks code, not deployed state, and where a separate posture/CSPM scan is still needed.
7. **Validate** — give a test MR that introduces an open `0.0.0.0/0` ingress and confirm it is flagged and blocked.

Output as: a fenced `.gitlab-ci.yml` snippet, a severity-to-action table, and a top-10 Terraform findings remediation list.

Remember that IaC scanning evaluates source files only — a clean scan does not mean the running infrastructure is compliant if it has drifted or was changed out of band.