Thanks for signing up!
An initial scan is finished, and I added the repo(s) to the list for future re-scans.
Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.
I've also done a basic sanity check of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to really bad queries.
If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release.
We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins.
If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at firstname.lastname@example.org