Currently, our [[ https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/58c287bbabffa0e9d31a9a7f15e400419dc7e257/python-bandit/python-bandit-ci.yml | bandit appsec include ]] is expecting to use one of the `python3-build` images under docker-registry.wikimedia.org. But its `apt` calls aren't working now ([[ https://gitlab.wikimedia.org/repos/security/wikimedia-code-health-check/-/jobs/228878 | example ]]) because those images are now too locked down. So let's update the include (and [[ https://www.mediawiki.org/wiki/Security/Application_Security_Pipeline#Bandit | the doc ]]) to use a more generic `bookworm` (or similar) image.
[] Update comments and `apt` calls within the include file
[] Update callers of the include (I think just Wikimedia Code Health Check for now...)
[] Update the relevant mediawiki.org doc