The external_identifier field contains the CVE-ID, which should be quite easy to include in this action. Did I miss it or has this not (yet) been implemented? Thanks!

We'd happily accept a PR for this!

CVE ID is included in the alert-identifiers, with PR 388.

Set output alert-identifiers = [{"type":"GHSA","value":"GHSA-rp65-9cf3-cjxr"},{"type":"CVE","value":"CVE-2021-3803"}]