[security] audit repository tooling

[sakshi-1505]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• Repository security settings
  • Security Policy ✅
  • Security advisories ✅
  • Private vulnerability reporting ✅
  • Dependabot alerts ✅
  • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

[sakshi-1505]

cc: @codeboten @lzchen @aabmass

Please confirm if vulnerability reporting, dependabot alerts are configured for the repo as I don't have enough access to see those. I don't see us using any staticcode checker for Python, do you folks have any suggestion in mind for the same? I know we can use Mypy or Pylint.

[lzchen]

@sakshi-1505

We do use pylint for static code checking. Private vulnerability reporting and dependabot alerts are both enabled for this and the contrib repo.

[sakshi-1505]

Awesome, thanks @lzchen for helping with me with details. @codeboten can we close this?

[codeboten]

Looks good to me 👍🏻