[security] audit repository tooling

[sakshi-1505]

Describe the issue you're reporting

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [ ] CodeQL enabled via GitHub Actions
• [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [x] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [ ] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[sakshi-1505]

@bjandras Please confirm if the dependabot alerts & scanning alerts are enabled for the repository. I do see trivy checks in the actions so I guess we can mark-out the static code analysis tool, I will raise a PR for codeQL check. Please let me know if the plan of action seems correct.

[sakshi-1505]

\assign