SAST cannot be triggered for my nodejs application

I am using the official template of SAST from the following url,

For my repo, the file structure is like this, the json files are in folder deploy,
image

I have included the above sast template in “include” section of .gitlab-ci.yml. However, when the pipeline is triggered, only eslint-sast has triggered. And there’s no vulunerabilities shown in the eslint report. I am wondering whether nodejs-scan will trigger. Anyone can help please?

The nodejs-scan-sast job has a rule for detecting package.json at the toplevel of the repo.

I have a similar environment to yours, so I’ve done the following to override the included nodejs scan job:

include:
  - template: Security/SAST.gitlab-ci.yml

nodejs-scan-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
        $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
      exists:
        - "package.json"
        - "*/package.json"

Hope that helps.