Securely authenticate Gitlab.com SaaS SCM with Jenkins CI CD

We are trying to securely authenticate Gitlab.com SaaS SCM with Jenkins CI CD. Security has raised a concern that we cannot use SCM because of using plain text API keys to authenticate which are not considered secure. However, Gitlab CI CD has OIDC support which they approve. This urgently needs to be resolved in order for us to move forward with Gitlab.com SCM:

  1. Can you suggest secure authentication patterns between SCM and Jenkins? This means they should not use API keys.
  2. Can OIDC be used in SCM?