Per https://github.com/google/osv-scanner/issues/639 there's a bug upstream that is blocking us from using the Application Security Pipeline for function-orchestrator; it's solved upstream and will be fixed in v1.5.0 when that comes out, but until then would it be possible to pin the ASP to v1.4.2 as they recommend?
I believe that currently we're just pointed at @v1 per https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/main/generic-osv/osv-ci.yaml?ref_type=heads#L33