Skip to content

Create a Work Item on an Azure Board when a Security Vulnerability is found

License

Notifications You must be signed in to change notification settings

peckjon/vulnerability-to-azure-board

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Vulnerability to Azure Board

Create a Work Item on Azure Boards when a Security Vulnerability is found by Dependabot

screenshot

Outputs

id

The id of the Work Item created

Example usage

  1. Ensure that Automated Security Updates are enabled for your repository

  2. Add a Secret named PERSONAL_TOKEN containing a GitHub Personal Access Token with the "repo" scope

  3. Add a Secret named AZURE_PERSONAL_ACCESS_TOKEN containing an Azure Personal Access Token with "read & write" permission for Work Items

  4. Add a workflow file which responds to Pull Requests via pull_request_target, customizing the ORG_URL and PROJECT_NAME properties:

name: Check for vulnerabilities

'on':
  pull_request_target: 
    branches:
      - master

jobs:
  alert:
    runs-on: ubuntu-latest
    if: github.event.actor == 'dependabot[bot]'
    steps:
    - uses: peckjon/vulnerability-to-azure-board@master
      env:
        GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'
        AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'
        ORG_URL: 'https://dev.azure.com/your_org_name'
        PROJECT_NAME: 'your_project_name'

NOTE: The reason for using pull_request_target instead of generic pull_request is because of changes to allowing dependabot to read secrets (Changelog and Security details). Thus it is important to ensure that you use pull_request_target securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like if: contains(github.event.pull_request.labels.*.name, 'safe to test')

About

Create a Work Item on an Azure Board when a Security Vulnerability is found

Resources

License

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published