PCI scan failing on Onmibus Registry server - QID 11827: HTTP Security Header Not Detected

Our Onmibus Registry server is being flagged as being vulnerable with QID 11827: HTTP Security Header Not Detected during our weekly PCI scan.

I can fix this by manually editing /var/opt/gitlab/nginx/conf/gitlab-registry.conf and adding the following to the server section then restarting:

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

Obviously these changes are overwritten by gitlab-ctl reconfigure and when the server is updated.

This is with gitlab-ee/bionic 12.3.4-ee.0. I'm not a coder so I am unsure where to look for the code that creates gitlab-registry.conf in order to add these headers and fix this with a merge request. Can someone help me investigate?