SAST : Rules : Condition Check is not working

Hi Team,
I am using GitLab SAST. Rule condition check is not working. Currently GitLab SAST is running for all branches even I added condition check.
Sample Code:

include:
  - template: Security/SAST.gitlab-ci.yml
sast:
  stage: app security scan
  when: manual
  image: gitlab/gitlab-runner:latest
  tags:
    - edms-docker-sast
  script:
    - echo "Running SAST for branch $CI_COMMIT_BRANCH"
  allow_failure: true
  rules:
    - if: '$CI_COMMIT_BRANCH =="main"'
      when: always
    - when: never

I tried both $CI_COMMIT_BRANCH and $CI_COMMIT_REF_NAME in the rules condition check but it is not working properly. Git Lab SAST feature is running for all branches even i added condition check. My requirement is that it should run only specified branches.

one more issue “allow_failure: true/false”. both values are not impacting my pipeline flow. Even though my project scan is generated the gl-sast-report.json file. My another requirement is that if gl-sast-report.json file have vulnerability code is found. Block current pipeline stages and should not process other stages

Git Lab : SAST : Version Details
gitlab-runner 17.5.3 (12030cf4)
GitLab Semgrep analyzer v5.25.0