If deployment-bastion had an up to date list of ssh host keys we would be able to remove the scap cherry-pick of I6a56b5ec7887737d1662a3cc9e0cd1a5c13ec95d that scap is using in beta to ignore the remote host key.
Mukunda took a stab at this in Iac547efa83cf059a1276b6e279c3ebd4c7224b2c but we pulled the patch when it had merge conflicts with an upstream change.