I wonder if you have thoughts on setting up automated code scanning for code repositories. for example with CodeQL. Personally, it helped me catch some issues, but I know it can be noisy on larger projects (but those are few). Should Jupyter subprojects be encouraged to include such a job on CI (some already have)?

In theory I think it's a good thing, in practice I think many of us aren't sure how to use CodeQL effectively e.g. see
jupyterhub/binderhub#1404

Perhaps recommending CodeQL along with the option of help from someone who can optimise the config, or provide advice on reducing noise, could be helpful? This inevitably leads to the question of who can provide that help, is it voluntary or paid, etc.... Perhaps a Jupyter Security Advocate (analogous to a developer/community advocate) position?