Brakeman analyzer doesn't reject incompatible project Spree

Summary

The SAST Brakeman analyzer shouldn't attempt to analyze a project unless it depends on rails. It's not sufficient that rails appears somewhere in Gemfile.lock because the gem could be a transient (AKA nested) dependency.

Steps to reproduce

Choose a project that depends on rails but is not a Rails project
Configure SAST
Run the pipeline

Example Project

https://gitlab.com/joshlambert/spree

See https://gitlab.com/joshlambert/spree/-/jobs/74456586

What is the current bug behavior?

It attempts to run Brakeman.

What is the expected correct behavior?

It should report Project not found and skip.

Possible fixes

Look for a line that matches regular expression ^ rails. Bug is in plugin.go. This is a regression introduced when implementing #5232 (closed).