Skip to content

Vulnerability to Azure Board

Actions
Create a Work Item on an Azure Board when a Security Vulnerability is found
0.4.2
Latest
Star (8)

Vulnerability to Azure Board

Create a Work Item on Azure Boards when a Security Vulnerability is found by Dependabot

screenshot

Outputs

id

The id of the Work Item created

Example usage

  1. Ensure that Automated Security Updates are enabled for your repository

  2. Add a Secret named PERSONAL_TOKEN containing a GitHub Personal Access Token with the "repo" scope

  3. Add a Secret named AZURE_PERSONAL_ACCESS_TOKEN containing an Azure Personal Access Token with "read & write" permission for Work Items

  4. Add a workflow file which responds to Pull Requests via pull_request_target, customizing the ORG_URL and PROJECT_NAME properties:

name: Check for vulnerabilities

'on':
  pull_request_target: 
    branches:
      - master

jobs:
  alert:
    runs-on: ubuntu-latest
    if: github.event.actor == 'dependabot[bot]'
    steps:
    - uses: peckjon/vulnerability-to-azure-board@master
      env:
        GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'
        AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'
        ORG_URL: 'https://dev.azure.com/your_org_name'
        PROJECT_NAME: 'your_project_name'

NOTE: The reason for using pull_request_target instead of generic pull_request is because of changes to allowing dependabot to read secrets (Changelog and Security details). Thus it is important to ensure that you use pull_request_target securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like if: contains(github.event.pull_request.labels.*.name, 'safe to test')

Vulnerability to Azure Board is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Create a Work Item on an Azure Board when a Security Vulnerability is found
0.4.2
Latest

Vulnerability to Azure Board is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.