[security] audit repository tooling

[sakshi-1505]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• Repository security settings
  • Security Policy ✅
  • Security advisories ✅
  • Private vulnerability reporting ✅
  • Dependabot alerts ✅
  • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

[sakshi-1505]

@breedx-splk Can you please confirm if dependabot alerts are configured? Also, I don't see any java static checker configured for the repository, do you mind if I configure Sonarqube for our repository?

[breedx-splk]

Hey @sakshi-1505 -- the java-based projects are now using (mend) Renovatebot for dependency scanning, not dependabot. The dashboard for renovate exists as an issue in our repo: #23