Thanks for signing up!
I'm not sure if any of these are worth enabling yet, but I also have access to the following which seem relevant:
Release permissions only, not just committer access. Sorry.
Which means the following repos are signed up:
SSH Credentials and PAM Auth already were, the rest is new.
An initial scan is finished, and I added the repo(s) to the list for future re-scans.
Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.
If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release.
We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repos on lgtm.com, or add regular CodeQL code scanning to your plugins.
If you have questions or feedback, as a security team member, please file issues in jenkinsci-cert/codeql.