Investigate and determine what to do about GitLab scan findings

We have a merge request that will establish a new CI/CD pipeline for the API! It can be found here: !1962 (merged)

This MR enables a variety of GitLab's own CI/CD features (static and dynamic scans, dependency scans, and more) and starts to incorporate some of what we have currently in GitHub.

However... A bunch of new things are being flagged and found.

Ultimately this is a good thing though, we want that! Now we ought look into these and determine the following:

Are the findings legitimate?
Should we be scanning literally all the things, or do we need to adjust the configuration some more to exclude certain things and/or adjust finding thresholds?

Based on what we figure out and decide, we will have to make changes and fixes to get the pipeline checks to all completely pass.

Lastly, this will be a great opportunity to engage with the broader Cloud.gov team, especially the Cybersecurity Squad, and determine what makes sense as a baseline for all Cloud.gov projects!

Implementation Sketch and Acceptance Criteria

Review the findings on the Security tab of a recent pipeline run from the MR, e.g., https://workshop.cloud.gov/notifications/api/-/pipelines/2230/security
Make a list of the things that should be fixed and create a new issue to track that work
For anything that shouldn't be fixed, note why and how it will be mitigated (e.g., adjusting scan configuration, flagging to ignore, etc.) and make the necessary adjustments
Perform any work in the existing MR so that when it is finally merged, everything is passing and in good shape moving forward

Security Considerations

The new scans provide increased threat and vulnerability protection and flag a bunch more things than what we were seeing before.
There are some things that we should start scanning (e.g., the notifications_python_client and notifications_utils folders) and addressing findings in.