Vulnerability disabled in sast-rulest.toml is still scanned by semgrep-sast job

Hello, we are overriding semgrep-sast job in our own template, but only to prevent dependencies and cache from being loaded (for performance reasons). We are not targeting the semgrep vendor's CI agent directly, in which case we could look into rules/patterns/paths etc., so the expectation is to still be able to implement and use .gitlab/sast-ruleset.toml configurations.

semgrep-sast:
  cache: {}
  dependencies: []
  interruptible: true
  rules:
    - if: '$CI_MERGE_REQUEST_ID || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      exists:
        - '**/*.py'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'

Vulnerability eslint.detect-object-injection comes up in ".tsx" and ".tx" files, so we're unable to workaround by avoiding certain directories. And the contents of sast-ruleset.toml comes directly from documentation (also attempted to disable by "cwe" type, but semgrep-sast still scanned for this vulnerability).

[eslint]
  [[eslint.ruleset]]
    disable = true
    [eslint.ruleset.identifier]
      type = "eslint_rule_id"
      value = "security/detect-object-injection"

We see instances of this vulnerability in Security tab of each pipeline, and additional approvals are required to approve merge requests, because of Approval Rules.

This issue is marked as a Bug, but if there are potential workarounds as well, please advise.

Thanks