Add a workflow file to .github/workflows/ that triggers on 'pull_request' and 'push' to the default branch
Use the 'ossf/scorecard-action' action in a job step, providing the GITHUB_TOKEN via secrets and setting the results format to sarif
Configure the action to upload the SARIF results artifact using the 'github/codeql-action/upload-sarif' action so findings appear in the Security tab
Set 'publish_results: true' if you want the results published to the public Scorecard API for badge display
Add the required permissions block to the workflow job: 'security-events: write' for SARIF upload and 'id-token: write' for keyless signing of results
Known gotchas
The scorecard-action requires 'id-token: write' permission in the workflow to sign results with Sigstore; missing this permission will cause the action to fail during the signing step
Branch protection rules evaluated by Scorecard reflect the repository's actual settings at scan time; changing branch protection after the scan does not retroactively update the score until the next scan run
Forked repository pull requests cannot access organization secrets by default; Scorecard Action may fail on PRs from forks unless you use the pull_request_target trigger with appropriate caution about code execution risks
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp