In my GitHub Org job (using GitHub Enterprise), I added a pipeline lib source that is in GitHub. If the scan credential is scoped to the job (created in the job, vs created in the global credential store), there are two problems:
1) The config page under branch shows an error instead of "Currently maps to revision: $SHA".
2) If using a job-scoped credential, the "git fetch" in the job execution does not contain a line saying "Setting GIT_ASKPASS ..."
If I switch to the identical credential stored in the global scope, both the config page and the git fetch (GIT_ASKPASS) works.
I can give more details or try to isolate the problem if needed (standalone, minimal sets of plugins).