Install ossf scorecards action and investigate the results

[alan-strohm]

Install the Scorecards Action and investigate the results. Scorecard is an automated tool that scans the project for security best practices. The GitHub Action runs a Scorecard scan on each change to the repository so you can monitor whether code changes introduce new security issues.

[rsned]

Created #143 to create the scorecard action.

[jmr]

Does #143 fix this or is there more to do?

[alan-strohm]

We should at least look at how to handle the "high" results here: https://github.com/golang/geo/security/code-scanning I already added a bug for the dependabot one. I haven't had a chance to look into why it thinks code-review is not required.