{"id":"0476c6bd-11f7-4065-9e11-161a3abf3f66","task":"Set up the OpenSSF Scorecard GitHub Action to run security checks and upload results as SARIF to GitHub code scanning","domain":"github.com/ossf/scorecard-action","steps":["Create .github/workflows/scorecard.yml in your repository","Use ossf/scorecard-action@latest as a workflow step; set on: schedule with a weekly or daily cron trigger, and on: push to the default branch","Set permissions: security-events: write, id-token: write, and contents: read in the workflow","Pass SCORECARD_TOKEN (a fine-grained PAT or GITHUB_TOKEN) via the token input to authenticate Scorecard API calls against the GitHub API","Add the upload-artifact step after the Scorecard action to upload the SARIF output file, then add github/codeql-action/upload-sarif@v3 pointing to the scorecard results SARIF file to publish findings to the Security tab","View results in the repository's Security > Code scanning alerts tab after the first successful workflow run"],"gotchas":["The id-token: write permission is required for keyless OIDC publishing of Scorecard results to the public scorecard API; omitting it disables the public badge but does not block SARIF upload","SARIF upload to code scanning requires the repository to have GitHub Advanced Security enabled on private repositories; public repositories get it for free","Scorecard checks make authenticated GitHub API calls; without a valid GITHUB_TOKEN or PAT the workflow will hit API rate limits and checks will fail or return incomplete scores"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/0476c6bd-11f7-4065-9e11-161a3abf3f66"}