Create a Work Item on Azure Boards when a Security Vulnerability is found by Dependabot
The id of the Work Item created
-
Ensure that Automated Security Updates are enabled for your repository
-
Add a Secret named
PERSONAL_TOKENcontaining a GitHub Personal Access Token with the "repo" scope -
Add a Secret named
AZURE_PERSONAL_ACCESS_TOKENcontaining an Azure Personal Access Token with "read & write" permission for Work Items -
Add a workflow file which responds to Pull Requests via
pull_request_target, customizing the ORG_URL and PROJECT_NAME properties:
name: Check for vulnerabilities
'on':
pull_request_target:
branches:
- master
jobs:
alert:
runs-on: ubuntu-latest
if: github.event.actor == 'dependabot[bot]'
steps:
- uses: peckjon/vulnerability-to-azure-board@master
env:
GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'
AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'
ORG_URL: 'https://dev.azure.com/your_org_name'
PROJECT_NAME: 'your_project_name'NOTE: The reason for using pull_request_target instead of generic pull_request is because of changes to allowing dependabot to read secrets (Changelog and Security details). Thus it is important to ensure that you use pull_request_target securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like if: contains(github.event.pull_request.labels.*.name, 'safe to test')