I ran initial scans, and added the repo(s) to the list for future re-scans.
Unresolved findings will be shown with an "unread indicator" on the "Security" tab on each repo.
I've also done a basic sanity check of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to bad queries.
We're using GitHub's CodeQL as the tech for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins.
If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at email@example.com