diff --git a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
index d075a4d9c9c42c60b761bff5209298554dd0e418..0f5ff0d7584d81eb500dc4040a3314f539b485e0 100644
--- a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
@@ -10,6 +10,7 @@ class CiConfigurationService
         'sast_iac' => 'Jobs/SAST-IaC',
         'dependency_scanning' => 'Jobs/Dependency-Scanning'
       }.freeze
+      EXCLUDED_VARIABLES_PATTERNS = %w[_DISABLED _EXCLUDED_ANALYZERS _EXCLUDED_PATHS].freeze
 
       def execute(action, ci_variables, index = 0)
         case action[:scan]
@@ -81,7 +82,9 @@ def remove_extends!(job_configuration)
       end
 
       def remove_rule_to_disable_job!(job_configuration)
-        job_configuration[:rules]&.reject! { |rule| rule[:if]&.include?('_DISABLED') }
+        job_configuration[:rules]&.reject! do |rule|
+          EXCLUDED_VARIABLES_PATTERNS.any? { |pattern| rule[:if]&.include?(pattern) }
+        end
       end
     end
   end
diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index e2139de2e553a894ac3f526553b7abc3564cfb5a..ac840697daf89b09d72495c9a050e5c4f4f3bc45 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -269,7 +269,6 @@
               script: ['/analyzer run'],
               image: { name: '$SAST_ANALYZER_IMAGE' },
               rules: [
-                { if: '$SAST_EXCLUDED_ANALYZERS =~ /brakeman/', when: 'never' },
                 { if: '$CI_COMMIT_BRANCH', exists: ['**/*.rb', '**/Gemfile'] }
               ]
             )
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
index 41d35a3f0665684a2f971ea7aba8fc184a62a109..5440662964f4a6de3a0cfdfe1d76570d4c1da5fb 100644
--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -20,6 +20,17 @@
       end
     end
 
+    shared_examples 'removes rules which disable jobs' do
+      it 'removes rules matching EXCLUDED_VARIABLES_PATTERNS' do
+        subject.each do |key, configuration|
+          expect(configuration[:rules]).not_to(
+            match(array_including(hash_including(if: /_EXCLUDED_ANALYZERS|_DISABLED|_EXCLUDED_PATHS/))),
+            "expected configuration '#{key}' not to disable jobs or exclude paths"
+          )
+        end
+      end
+    end
+
     context 'when action is valid' do
       context 'when scan type is secret_detection' do
         let_it_be(:action) { { scan: 'secret_detection', tags: ['runner-tag'] } }
@@ -29,6 +40,7 @@
         end
 
         it_behaves_like 'with template name for scan type'
+        it_behaves_like 'removes rules which disable jobs'
 
         it 'merges template variables with ci variables and returns them as string' do
           expect(subject[:'secret-detection-0']).to include(
@@ -73,6 +85,7 @@
         let_it_be(:ci_variables) { { 'GIT_STRATEGY' => 'fetch', 'VARIABLE_1' => 10 } }
 
         it_behaves_like 'with template name for scan type'
+        it_behaves_like 'removes rules which disable jobs'
 
         it 'merges template variables with ci variables and returns them as string' do
           expect(subject[:'container-scanning-0']).to include(
@@ -158,6 +171,8 @@
           expect(subject[:'sast-0'][:variables].stringify_keys).to include(expected_variables)
           expect(subject.keys).to match_array(expected_jobs)
         end
+
+        it_behaves_like 'removes rules which disable jobs'
       end
 
       context 'when scan type is dependency_scanning', :aggregate_failures do
@@ -187,6 +202,8 @@
           expect(subject[:'dependency-scanning-0'][:variables]).to include(expected_variables)
           expect(subject.keys).to match_array(expected_jobs)
         end
+
+        it_behaves_like 'removes rules which disable jobs'
       end
 
       context 'when scan type is sast_iac', :aggregate_failures do
@@ -201,6 +218,8 @@
           expect(subject[:variables]).to be_nil
           expect(subject.keys).to match_array(expected_jobs)
         end
+
+        it_behaves_like 'removes rules which disable jobs'
       end
     end