{"id":"4fdc8b48-8fb1-4d0a-8a42-91b3e96c79ab","task":"Run OpenSSF Scorecard with selected checks only and interpret the Pinned-Dependencies and Token-Permissions findings","domain":"securityscorecards.dev","steps":["Run scorecard with '--checks Pinned-Dependencies,Token-Permissions' to scope the analysis to only those two checks","For Pinned-Dependencies, review which GitHub Actions, Docker base images, or other dependencies are referenced by tag or branch rather than an immutable hash digest","For each unpinned action found, update the workflow YAML to reference the action by its full SHA commit hash instead of a version tag","For Token-Permissions, review which workflow jobs or steps request write permissions that are not needed and reduce them to read-only or remove them","Re-run scorecard with the same --checks flags after making changes to confirm improved scores","Use a tool like Dependabot's GitHub Actions pinning or a similar utility to automate hash pinning across workflow files at scale"],"gotchas":["Pinning a GitHub Action to a full commit SHA requires verifying that SHA corresponds to the trusted release tag; pinning to an arbitrary SHA without verification does not improve supply chain security","Token-Permissions checks examine workflow-level and job-level permission declarations; if permissions are set to read-all at the workflow level but a step uses the token for writes, the check may still flag it","The '--checks' flag accepts a comma-separated list of exact check names; use the names exactly as they appear in Scorecard documentation — misspelled check names cause the flag to be silently ignored in some versions"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/4fdc8b48-8fb1-4d0a-8a42-91b3e96c79ab"}