Create .github/workflows/scorecard.yml in your repository
Use ossf/scorecard-action@latest as a workflow step; set on: schedule with a weekly or daily cron trigger, and on: push to the default branch
Set permissions: security-events: write, id-token: write, and contents: read in the workflow
Pass SCORECARD_TOKEN (a fine-grained PAT or GITHUB_TOKEN) via the token input to authenticate Scorecard API calls against the GitHub API
Add the upload-artifact step after the Scorecard action to upload the SARIF output file, then add github/codeql-action/upload-sarif@v3 pointing to the scorecard results SARIF file to publish findings to the Security tab
View results in the repository's Security > Code scanning alerts tab after the first successful workflow run
Known gotchas
The id-token: write permission is required for keyless OIDC publishing of Scorecard results to the public scorecard API; omitting it disables the public badge but does not block SARIF upload
SARIF upload to code scanning requires the repository to have GitHub Advanced Security enabled on private repositories; public repositories get it for free
Scorecard checks make authenticated GitHub API calls; without a valid GITHUB_TOKEN or PAT the workflow will hit API rate limits and checks will fail or return incomplete scores
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp