Improve security practices for carbon-react-native

[tay1orjones]

Hey there, Carbon team member here! 👋 We'd like to ensure the security practices for packages published from the carbon-design-system GitHub org are in place and up to date. We'd like to work with you to get the following security practices implemented:

Tasks

Preview Give feedback

1. Add a security policy to the repository
2. Enable Security advisories
3. Enable Private vulnerability reporting
4. Enable Dependabot alerts
5. Enable Code scanning alerts
6. Enable Secret scanning alerts
7. Publish your package(s) to npm with provenance statements

Most of these can be found under the Security tab for this repository. You may already have most of these implemented and turned on - if so, awesome!

For establishing a security policy, the existing security policy for the Carbon monorepo can be used as a template if you'd like. It can be modified to include proper version(s) for your package and any other attributes unique to your project that you may want to highlight.

I'm happy to meet up and chat about this if you'd like, just let me know. Thanks in advance for your help in ensuring security and stability across the Carbon ecosystem! 🙏 💙

[dabrad26]

All items are added. However, provenance is not yet published. Currently Github Actions has some issues (see #150 ).

The other items are complete and I have gone ahead and set the package.json file to provenance; so need to run from GitHub actions to have the standard approach npm ERR! Automatic provenance generation not supported outside of GitHub Actions

@tay1orjones if you have some time could you help me with the GitHub action issue #150?

[dabrad26]

Added provenance statement and verified on NPM

All items on this ticket are complete; so closing it. Let me know if you need it opened or if something is not right.