index.js

const core = require(`@actions/core`);
const github = require(`@actions/github`);
const azdev = require(`azure-devops-node-api`);

// create Work Item via https://docs.microsoft.com/en-us/rest/api/azure/devops/
async function createIssue(token, orgUrl, projectName, title, description, priority) {
  let authHandler = azdev.getPersonalAccessTokenHandler(token); 
  let connection = new azdev.WebApi(orgUrl, authHandler);
  let workapi = await connection.getWorkItemTrackingApi();
  return workapi.createWorkItem(
    customHeaders = [],
    document = [
      { 'op': 'add', 'path': '/fields/System.Title', 'value': title },
      { 'op': 'add', 'path': '/fields/System.Description', 'value': description },
      { 'op': 'add', 'path': '/fields/Microsoft.VSTS.Common.Priority', 'value': priority },
    ],
    project = projectName,
    type = `Issue`
    )
}

// get alert data from https://developer.github.com/v4/object/repositoryvulnerabilityalert/
async function getVulnerabilities(context) {
  let octokit = new github.GitHub(process.env.GITHUB_TOKEN);
  let query = `
  query {
    repository(owner:"${context.payload.repository.owner.login}",name:"${context.payload.repository.name}") {
      vulnerabilityAlerts(first:100) {
        totalCount,
        nodes {
          securityVulnerability {
            advisory {
              description
              identifiers {
                type
                value
              }
              references {
                url
              }
              severity
              summary
            }
            firstPatchedVersion {
              identifier
            }
            package {
              name
              ecosystem
            }
            severity
            updatedAt
            vulnerableVersionRange
          }
          repository {
            nameWithOwner
          }
          vulnerableManifestFilename
          vulnerableManifestPath
          vulnerableRequirements
        }
      }
    }
  }
  `
  return await octokit.graphql(query, {headers: {authorization: `token ${process.env.GITHUB_TOKEN}`}});
}

try {
  let context = github.context
  let isDep = false;
  if((context.eventName==`pull_request` || context.eventName==`pull_request_target`) && context.payload.pull_request.title.startsWith(`Bump `)) {
    let [ ,depName, ,versionFrom, , versionTo] = context.payload.pull_request.title.split(` `);
    if (depName && versionTo) {
      isDep = true;
      console.log(`Searching for Vulnerability Alerts with package name "${depName}" to patch to "${versionTo}"`);
      getVulnerabilities(context).then(vulnerabilities => {
        let vulnerability = undefined;
        vulnerabilities.repository.vulnerabilityAlerts.nodes.forEach(n => {
          console.log(`Found package name "${n.securityVulnerability.package.name}" to patch to "${n.securityVulnerability.firstPatchedVersion.identifier}"`);
          if(n.securityVulnerability.package.name==depName || n.securityVulnerability.package.name.endsWith(':'+depName)) {
            if (vulnerability == undefined || n.securityVulnerability.firstPatchedVersion.identifier==versionTo) {
              vulnerability = n.securityVulnerability;
            }
          }
        });
        if(vulnerability) {
          let priority = (vulnerability.severity==`CRITICAL`||vulnerability.severity==`HIGH`)?1:vulnerability.severity==`MODERATE`?2:3
          console.log(`Creating issue with...
          Title: ${context.payload.pull_request.title}
          Severity: ${priority} (${vulnerability.severity})
          Description: ${context.payload.pull_request.html_url}\n${vulnerability.advisory.description}
          `);
          createIssue(
            process.env.AZURE_PERSONAL_ACCESS_TOKEN,
            process.env.ORG_URL,
            process.env.PROJECT_NAME,
            context.payload.pull_request.title,
            `<a href="${context.payload.pull_request.html_url}">${context.payload.pull_request.title}</a><br/>${vulnerability.advisory.description}`,
            priority
            ).then(workItem => {
            console.log(workItem)
            core.setOutput(`id`, `${workItem.id}`);
          }).catch(error => {
            core.setFailed(error.message);
          });
        } else {
          console.log(`No matching vulnerabilities found:
          ${JSON.stringify(vulnerabilities,undefined,2)}
          `)
        }
      }).catch(error => {
        core.setFailed(error.message);
      });
    }
  }
  if(!isDep) {
    console.log(`This is not a Pull Request generated by Dependabot...
    Event: ${context.eventName}
    Actor: ${context.actor}
    Title: ${context.payload.pull_request.title}
    `)
  }
} catch (error) {
  core.setFailed(error.message);
}