Hi everyone,
GitHub announced last week that their code scanning functionality is now generally available[1].
The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.
I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.
If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.
Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.
For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.
1:
https://github.blog/2020-09-30-code-scanning-is-now-available/