[security] audit repository tooling

[codeboten]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [x] CodeQL enabled via GitHub Actions
• [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [x] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [x] Private vulnerability reporting ✅
  • [x] Dependabot alerts ✅
  • [x] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[Twhite2]

@codeboten I'm Jarvis an outreachy candidate, Please assign me to this issue.

[cartermp]

@codeboten I've checked off what was added in repository settings. But aside from static code analysis (which I know we'd have to add some other way), I'm not sure how to check the remaining items? A security policy is a SECURITY.MD file with some standard text, right? I looked at the go-build-tools repo and noticed this item is checked off, but that file doesn't exist.

[codeboten]

@cartermp the items under "Repository security settings" capture whether the following are enabled in the repo's "Security" tab:

[codeboten]

For the SECURITY.md, if one isn't present in the repo, it is inherited from the .github repo: https://github.com/open-telemetry/.github/

[cartermp]

Gotcha! In that case I updated everything other than the static code analysis tool one. I think we may technically have that with CodeQL turned on for JS?