Adding Security Workflows to GitHub Actions (2/2): gosec workflow

[AzfaarQureshi]

Motivation

Related to #1429 and issue open-telemetry/oteps#144

Gosec is a static analysis engine which scans go source code for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities with every PR so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.

Changes

• This PR adds gosec security checks to the repo

Workflow Triggers

• daily cron job at 2:30am
• workflow_dispatch (in case maintainers want to trigger a security check manually)

cc- @alolita

[MrAlias]

@AzfaarQureshi guessing you're on this, but if you could updated to the latest this looks ready to merge next.

[AzfaarQureshi]

@MrAlias yup, rebased!

[codecov]

Codecov Report

Merging #1429 (1ead36a) into master (11f732b) will decrease coverage by 0.0%.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           master   #1429     +/-   ##
========================================
- Coverage    78.6%   78.6%   -0.1%     
========================================
  Files         126     126             
  Lines        6375    6375             
========================================
- Hits         5017    5015      -2     
- Misses       1114    1115      +1     
- Partials      244     245      +1     

Impacted Files	Coverage Δ
sdk/trace/batch_span_processor.go	78.4% <0.0%> (-2.0%)	⬇️