Following this discussion as well as some additional chat, I reached the conclusion that the way the security scan dashboard presents himself is currently more a source of anxiety for admins that an actual help to keep wikis secure.
Therefore, I propose to:
- deactivate the scan by default
- add a disclaimer at the top of the administration page, explaining that the feature is currently experimental and might lead to false positive
Then, as soon as the roadmap allows, we’ll improve to feature until we reach a point where it can be activated by default again.
Here is my +1.