[security] audit repository tooling

[EjiroLaurelD]

Hello, The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [x] CodeQL enabled via GitHub Actions
• [x] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [x] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [x] Private vulnerability reporting ✅
  • [x] Dependabot alerts ✅
  • [x] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[jaydeluca]

Just a note, since there is no functional code in this repository, CodeQL will not apply (I tested what it would do and it results in the github action failing with the error CodeQL did not detect any code written in languages supported by CodeQL.). The same for Static code analysis.

[tsloughter]

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

[codeboten]

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

This is true for dependency management, dependabot is still used for security alerts though

[codeboten]

The last item (govulncheck) was addressed, marking this issue closed