Skip to content

Latest commit

 

History

History
43 lines (30 loc) · 2.28 KB

README.md

File metadata and controls

43 lines (30 loc) · 2.28 KB

Vulnerability to Azure Board

Create a Work Item on Azure Boards when a Security Vulnerability is found by Dependabot

screenshot

Outputs

id

The id of the Work Item created

Example usage

  1. Ensure that Automated Security Updates are enabled for your repository

  2. Add a Secret named PERSONAL_TOKEN containing a GitHub Personal Access Token with the "repo" scope

  3. Add a Secret named AZURE_PERSONAL_ACCESS_TOKEN containing an Azure Personal Access Token with "read & write" permission for Work Items

  4. Add a workflow file which responds to Pull Requests via pull_request_target, customizing the ORG_URL and PROJECT_NAME properties:

name: Check for vulnerabilities

'on':
  pull_request_target: 
    branches:
      - master

jobs:
  alert:
    runs-on: ubuntu-latest
    if: github.event.actor == 'dependabot[bot]'
    steps:
    - uses: peckjon/vulnerability-to-azure-board@master
      env:
        GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'
        AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'
        ORG_URL: 'https://dev.azure.com/your_org_name'
        PROJECT_NAME: 'your_project_name'

NOTE: The reason for using pull_request_target instead of generic pull_request is because of changes to allowing dependabot to read secrets (Changelog and Security details). Thus it is important to ensure that you use pull_request_target securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like if: contains(github.event.pull_request.labels.*.name, 'safe to test')