[security] audit repository tooling

[EjiroLaurelD]

Hello,
The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• Repository security settings
  • Security Policy ✅
  • Security advisories ✅
  • Private vulnerability reporting ✅
  • Dependabot alerts ✅
  • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

[trask]

hi @EjiroLaurelD!

I verified these are enabled on the repository:

• Private vulnerability reporting
• Dependabot alerts

There's not much code in this repository (a few scripts and github actions), so I suspect that the others may not apply.

[EjiroLaurelD]

hi @EjiroLaurelD!

I verified these are enabled on the repository:

• Private vulnerability reporting
• Dependabot alerts

There's not much code in this repository (a few scripts and github actions), so I suspect that the others may not apply.

Thank you for your response