SAST jobs should not be triggered for files in SAST_EXCLUDED_PATHS

Summary

The SAST vendored template has detection logic to determine which analyzer(s) should be used to scrutinize changes on branches. Usually this is done by looking at file extensions or particular files.

While this works, there are conditions where the only matches exist in directories which are explicitly excluded by the SAST_EXCLUDED_PATHS environment variable. We need to find a way to respect that choice.

See #218734 (closed) for similar issue affecting DS_DEFAULT_ANALYZERS, in the context of Dependency Scanning.

Steps to reproduce

Include test fixtures of a language different from the rest of the repository being scrutinized. Downstream QA projects exhibit this behavior as well.

Possible Workarounds

• Update SAST_DEFAULT_ANALYZERS to not include the analyzers which are spuriously triggered.
• Modify detection rules to take into account SAST_EXCLUDED_PATHS variable.

Example Project

• gitlab-org/security-products/analyzers/tslint!15 (merged)
• https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/pipelines/146782563

What is the current bug behavior?

Analyzers are invoked against files we're trying to avoid through configuration.

What is the expected correct behavior?

The SAST_EXLUDED_PATHS variable is respected as part of the detection logic.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)