CloudArmor appears to use OWASP CRS 3.0.1 rules which are now pretty dated (last update around 4 years ago). CRS is now on V3.3 and V3.4 is in development.
Is there a way to take the new rules from coreruleset Github Repo and import into CloudArmor? Does Google have plans to update to the newer set by default?
Main driver is that some of the rules are very dated or unworkable. For example scanner detection triggers on "python-requests" as a User-Agent and this is no longer checked for in latest V3.3 ruleset.
If this has not been solved yet: I think Google does not give you the chance to pick for yourself. Also, it's a commercial support question that should probably be directed there.