I really love it when these security scanners get hung up on the version number - when really what they should be concentrating on is whether the actual version installed has vulnerabilities. However, I cannot say that for sure, since you didn’t mention why Tenable Security Center/Nessus recommended the upgraded version in the first place.
here are a list of vulnerabilities, and obviously Nginx 1.18 does feature in some of them. More important is, not whether Gitlab, or a Linux distro is running the latest version - but rather, that vulnerabilities in the version installed are addressed during updates etc. For example, Debian 10 has Nginx 1.14, RHEL7 for example 1.16. Since these are stable distributions, they will not release the latest and greatest Nginx, but rather patch the version they released.
The same would also apply for any other applications, bundled or what be it, like Gitlab, addressing those by patching at a minimum or potentially upgrading to a later version in the near future.
Providing Tenable Security Center didn’t find any critical vulnerabilities, and as long as vulnerabilities are addressed by Gitlab, then the fact that 1.18 is installed instead of 1.20 should be a non-issue. @dnsmichi posted something earlier on the forum:
therefore if you find a vulnerability with your scanner, you can disclose it responsibly by following the link in the above post or directly here: Responsible Disclosure Policy | GitLab