semgrep-sast scans node_modules directory making it take forever to finish

Current behavior: semgrep-sast scans node_modules directory making it take forever to finish.

Our build job is passing untracked changes so that our docker build job has the sources it needs to containerize the app and since semgrep-sast doesn't explicitly have dependencies: [] yaml then it is pulling in node_modules and scanning it all.

Expected behavior: semgrep-sast should not scan node_modules b/c it's a static code analysis tool, not a dependency scanning tool.

NOTE: Even if we add

variables:
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp, uglifyjs, selenium, test-reports, bower_components, node_modules"

it only excludes the vulnerabilities from the vulnerability report. SAST_EXCLUDED_PATHS is not making semgrep stop scanning node_modules which makes the job take way too long (hours).