Add CodeQL Security Scans

[kxyr]

Motivation

Follow up to issue Follow up to issue open-telemetry/oteps#144

CodeQL is GitHub's static analysis engine which scans repos for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities with every PR so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.

Changes

This PR adds CodeQL security checks to the repo

• After every run the workflow uploads the results to GitHub. Details on the run and security alerts will show up in the security tab of this repo.

Workflow Triggers

• daily cron job at 1:30am
• workflow_dispatch (in case maintainers want to trigger a security check manually)

cc- @alolita

[djaglowski]

Thank you for adding this.

Just a minor note on the changelog format.

[djaglowski]

It appears we have a bit of a chicken/egg situation, as one of the new checks wishes to compare results to previous scans on main.

I think we may need to temporarily modify main branch protection rules to allow this PR to be merged. @tigrannajaryan Does this seem reasonable?

[tigrannajaryan]

It appears we have a bit of a chicken/egg situation, as one of the new checks wishes to compare results to previous scans on main.

I think we may need to temporarily modify main branch protection rules to allow this PR to be merged. @tigrannajaryan Does this seem reasonable?

I don't see any failed checks that prevent merging. All seems OK?

[djaglowski]

My mistake, I wasn't aware of neutral checks and was thinking about it in binary.