[security] audit repository tooling

[codeboten]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• Repository security settings
  • Security Policy ✅
  • Security advisories ✅
  • Private vulnerability reporting ✅
  • Dependabot alerts ✅
  • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

[jack-berg]

I've went ahead and checked all the boxes and closed the issue. Feel free to re-open if my answers warrant further discussion.

Some notes on each item:

• CodeQL enabled via GitHub Actions - Yes, see runs here.
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build). Yes, we use OWASP dependency check gradle plugin. See runs here. We also run error prone as a part pf every build.
• Repository security settings
  • Security Policy ✅ - We inherit the general security policy. See opentelemetry-java/security/policy.
  • Security advisories ✅ - Enabled.
  • Private vulnerability reporting ✅ - Enabled.
  • Dependabot alerts ✅ - Dependabot alerts are set up, but we use renovate for automatically updating versions.
  • Code scanning alerts ✅ - Enabled.