[security] audit repository tooling

[codeboten]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions - enabled in opentelemetry-cpp here GitHub Actions
• Static code analysis tool - missing, see [CI] Add a C++ static code analyser in the build #2297
• Repository security settings
  • Security Policy ✅ - enabled
  • Security advisories ✅ - enabled
  • Private vulnerability reporting ✅ - enabled
  • Dependabot alerts ✅ - enabled
  • Code scanning alerts ✅ - enabled

Parent issue: open-telemetry/sig-security#12

[sakshi-1505]

@codeboten I am an Outreachy candidate, can you please assign me this issue?

[codeboten]

Thanks @sakshi-1505, i don't have the ability to assign issues in this repo. @marcalff are you still working on this issue? would @sakshi-1505 be able to help? Thanks!

[github-actions]

This issue was marked as stale due to lack of activity.

[sakshi-1505]

Not stale

[github-actions]

This issue was marked as stale due to lack of activity.

[marcalff]

The last remaining part was to implement cppcheck in CI, which is now done.

Closing as completed.