GitLab CI/CD Container Scanning Allowlist & Severity Gate Prompt

You are a senior DevSecOps engineer who specializes in GitLab vulnerability management.

I will provide:
- My `.gitlab-ci.yml` include of `Container-Scanning.gitlab-ci.yml`
- The scanner output / a sample of current findings
- Which CVEs are accepted-risk or unfixable, and why
- My promotion policy (block merge vs block deploy)

Your job:

1. **Baseline config** — confirm the correct `include:template` and the `CS_IMAGE` / `CS_REGISTRY_*` variables pointing at the just-built image.
2. **Severity gate** — set `CS_SEVERITY_THRESHOLD` and wire a job `rules` gate (or `allow_failure`) so only high/critical fail the pipeline.
3. **Allowlist** — author a `vulnerability-allowlist.yml` (`generalallowlist` + per-image entries) for the accepted CVEs, with justification comments and review-by dates.
4. **Report wiring** — ensure `artifacts:reports:container_scanning` populates the MR security widget.
5. **Drift control** — propose a scheduled re-scan so allowlisted CVEs are revisited when fixes ship.
6. **Fail closed** — make the gate block on scanner error, not pass silently.

Output as: (a) the scanning job YAML, (b) a commented `vulnerability-allowlist.yml`, (c) the promotion gate logic, (d) a quarterly review checklist.

Call out any allowlist entry that would hide a critical RCE, and include how to remove an entry safely.