SAST Job fails to detect npm project

Summary

SAST not working

Steps to reproduce

given you have that job definition in .gitlab-ci.yaml

sast:
  image: docker:stable
  stage: test
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code"  --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    paths: [gl-sast-report.json]
  tags:
    - dind

Example Project

contains package.json

What is the expected correct behavior?

detect package.json and run sast correctly.

Relevant logs and/or screenshots

$ docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code"  --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
2018/09/10 10:55:47 Copy project directory to containers
2018/09/10 10:55:47 [bandit] Detect project using plugin
2018/09/10 10:55:47 [bandit] Project not compatible
2018/09/10 10:55:47 [brakeman] Detect project using plugin
2018/09/10 10:55:47 [brakeman] Project not compatible
2018/09/10 10:55:47 [find-sec-bugs] Detect project using plugin
2018/09/10 10:55:47 [find-sec-bugs] Project not compatible
2018/09/10 10:55:47 [find-sec-bugs-gradle] Detect project using plugin
2018/09/10 10:55:47 [find-sec-bugs-gradle] Project not compatible
2018/09/10 10:55:47 [find-sec-bugs-sbt] Detect project using plugin
2018/09/10 10:55:47 [find-sec-bugs-sbt] Project not compatible
2018/09/10 10:55:47 [flawfinder] Detect project using plugin
2018/09/10 10:55:47 [flawfinder] Project not compatible
2018/09/10 10:55:47 [gosec] Detect project using plugin
2018/09/10 10:55:47 [gosec] Project not compatible
2018/09/10 10:55:47 [nodejs-scan] Detect project using plugin
2018/09/10 10:55:47 [nodejs-scan] Project not compatible
2018/09/10 10:55:47 [phpcs-security-audit] Detect project using plugin
2018/09/10 10:55:47 [phpcs-security-audit] Project not compatible
2018/09/10 10:55:47 [security-code-scan] Detect project using plugin
2018/09/10 10:55:47 [security-code-scan] Project not compatible
No compatible analyzer can be found
ERROR: Job failed: exit code 3

additions

maybe it's also simply my fault. The problem is, that there is no clear documentation how projects are detected. And what preparations have to be done. I have the same problem with a php project containing a composer.json, sast is telling me, that there is no project.