Vulnerability Alert - Trigger Workflow

Hi,

I’m looking to create a GitHub Action to open an issue when a vulnerability alert (dependency alert) is posted to the repository.

Is there a way to trigger a GitHub Action when a security alert is posted? I’ve reviewed the Events that Trigger Workflows and there doesn’t appear to be anything related to security events.

This is currently accessible via the GraphQL API.  https://developer.github.com/v4/object/repository/#vulnerabilityalerts

So, the only option right now is to schedule the GitHub Action to run daily that would access the API to see if there are any open security alerts and open the issue if it hasn’t already been opened. Ideally, this would be kicked off as soon as there is a vulnerability posted. 

Any help here would be appreciated. Thanks!

Hi @ahinkle ,

Thank you for reaching this out! Currently there’s no events for Vulnerability Alert, it’s recommended to raise a feature_request here where github product manger will take a review.

Meanwhile, i notice there is a Vulnerability Alert webhook in repository setting.

vulnerabilityalerts.png

You can use an external endpoint to receive the web payload, and parse the action,eg: create.  On your server, create a commit to your github repository to trigger the github workflow. 

https://help.github.com/en/github/extending-github/about-webhooks

https://github.community/t5/GitHub-API-Development-and/GitHub-Web-Hooks-documentation/td-p/24404

https://dev.to/_mertsimsek/automating-git-events-with-github-webhook-39dg

Thanks.