[security] audit repository tooling

[arademm]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [x] CodeQL enabled via GitHub Actions
• [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [ ] Repository security settings
  • [x] Security Policy ✅
  • [ ] Security advisories ✅
  • [x] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[pichlermarc]

I went through the list to double-check if we have everything set up here, opened one PR to align settings with recommendations:

• CodeQL enabled via GitHub Actions
  • opened a PR to align the workflow with the recommendations (https://github.com/open-telemetry/opentelemetry-js-contrib/pull/2461)
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • We currently use Dependabot which operates on package-lock.json and run eslint, I reached out to some of the other maintainers of this repo and we determined that this provides enough coverage, see also https://github.com/open-telemetry/opentelemetry-js/issues/4101
• Repository security settings
  • Security Policy
    • we inherit the organization's policy
  • Security advisories
  • enabled
  • Private vulnerability reporting
  • enabled
  • Dependabot alerts
  • enabled
  • Code scanning alerts
  • enabled

@arademm looks like we can close this once https://github.com/open-telemetry/opentelemetry-js-contrib/pull/2461 merges, please let me know if there's anything else to take care of :slightly_smiling_face: