OpenSSF scorecard enhancement

[Bertk]

coverlet nuget packages have already a score which could be improved with low effort e.g. Coverlet.collector.

low hanging fruits
• SBOM metadata for nuget package (#1752)
• use Code-QL (SAST) in CI (#1712)

see also https://github.com/ossf/scorecard/blob/main/docs/checks.md

[Bertk]

The discussion was not picked up (lack of interest).