https://github.com/peckjon/vulnerability-to-azure-board

Create a Work Item on an Azure Board when a Security Vulnerability is found
https://github.com/peckjon/vulnerability-to-azure-board

Last synced: 2 months ago
JSON representation

Create a Work Item on an Azure Board when a Security Vulnerability is found

• Host: GitHub
• URL: https://github.com/peckjon/vulnerability-to-azure-board
• Owner: peckjon
• License: mit
• Created: 2020-03-05T22:13:57.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2024-06-18T01:30:50.000Z (7 months ago)
• Last Synced: 2024-09-19T08:02:12.530Z (4 months ago)
• Language: JavaScript
• Size: 2.69 MB
• Stars: 8
• Watchers: 2
• Forks: 1
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        
# Vulnerability to Azure Board

Create a Work Item on Azure Boards when a Security Vulnerability is [found by Dependabot](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies)

![screenshot](vulnerability_to_board.png)

## Outputs

### `id`

The id of the Work Item created

## Example usage

1. Ensure that [Automated Security Updates](https://help.github.com/en/github/managing-security-vulnerabilities/configuring-automated-security-updates) are enabled for your repository

2. Add a Secret named `PERSONAL_TOKEN` containing a [GitHub Personal Access Token](https://github.com/settings/tokens) with the "repo" scope

3. Add a Secret named `AZURE_PERSONAL_ACCESS_TOKEN` containing an [Azure Personal Access Token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) with "read & write" permission for Work Items

4. Add a workflow file which responds to Pull Requests via `pull_request_target`, customizing the ORG_URL and PROJECT_NAME properties:

```yaml

name: Check for vulnerabilities

'on':

  pull_request_target: 

    branches:

      - master

jobs:

  alert:

    runs-on: ubuntu-latest

    if: github.event.actor == 'dependabot[bot]'

    steps:

    - uses: peckjon/vulnerability-to-azure-board@master

      env:

        GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'

        AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'

        ORG_URL: 'https://dev.azure.com/your_org_name'

        PROJECT_NAME: 'your_project_name'

```

**NOTE**: The reason for using `pull_request_target` instead of generic `pull_request` is because of changes to allowing dependabot to read secrets ([Changelog](https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/) and [Security details](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)). Thus it is important to ensure that you use `pull_request_target` securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like `if: contains(github.event.pull_request.labels.*.name, 'safe to test')`