Create a Work Item on Azure Boards when a Security Vulnerability is found by Dependabot

The id of the Work Item created

1. Ensure that Automated Security Updates are enabled for your repository

2. Add a Secret named PERSONAL_TOKEN containing a GitHub Personal Access Token with the "repo" scope

3. Add a Secret named AZURE_PERSONAL_ACCESS_TOKEN containing an Azure Personal Access Token with "read & write" permission for Work Items

4. Add a workflow file which responds to Pull Requests via pull_request_target, customizing the ORG_URL and PROJECT_NAME properties:

name: Check for vulnerabilities

'on':
  pull_request_target: 
    branches:
      - master

jobs:
  alert:
    runs-on: ubuntu-latest
    if: github.event.actor == 'dependabot[bot]'
    steps:
    - uses: peckjon/vulnerability-to-azure-board@master
      env:
        GITHUB_TOKEN: '${{ secrets.PERSONAL_TOKEN }}'
        AZURE_PERSONAL_ACCESS_TOKEN: '${{ secrets.AZURE_PERSONAL_ACCESS_TOKEN }}'
        ORG_URL: 'https://dev.azure.com/your_org_name'
        PROJECT_NAME: 'your_project_name'

NOTE: The reason for using pull_request_target instead of generic pull_request is because of changes to allowing dependabot to read secrets (Changelog and Security details). Thus it is important to ensure that you use pull_request_target securely, and perhaps ensure that the person running the command is Dependabot. You may want to further restrict the running of the workflow with a conditional by ensuring it's only run when a label is applied like if: contains(github.event.pull_request.labels.*.name, 'safe to test')