[security] audit repository tooling

[EjiroLaurelD]

Hello, The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [ ] CodeQL enabled via GitHub Actions
• [x] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [ ] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [x] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[atoulme]

This repository doesn't use dependabot as dependencies are managed directly via the release process. Static code analysis tool -> the repository uses shellcheck.