Run scorecard with '--checks Pinned-Dependencies,Token-Permissions' to scope the analysis to only those two checks
For Pinned-Dependencies, review which GitHub Actions, Docker base images, or other dependencies are referenced by tag or branch rather than an immutable hash digest
For each unpinned action found, update the workflow YAML to reference the action by its full SHA commit hash instead of a version tag
For Token-Permissions, review which workflow jobs or steps request write permissions that are not needed and reduce them to read-only or remove them
Re-run scorecard with the same --checks flags after making changes to confirm improved scores
Use a tool like Dependabot's GitHub Actions pinning or a similar utility to automate hash pinning across workflow files at scale
Known gotchas
Pinning a GitHub Action to a full commit SHA requires verifying that SHA corresponds to the trusted release tag; pinning to an arbitrary SHA without verification does not improve supply chain security
Token-Permissions checks examine workflow-level and job-level permission declarations; if permissions are set to read-all at the workflow level but a step uses the token for writes, the check may still flag it
The '--checks' flag accepts a comma-separated list of exact check names; use the names exactly as they appear in Scorecard documentation — misspelled check names cause the flag to be silently ignored in some versions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp