{"id":"5aed6146-7f9f-4157-9d11-6372dca320fe","task":"Configure the OpenSSF Scorecard GitHub Action to run on every pull request and publish results to GitHub Code Scanning","domain":"securityscorecards.dev","steps":["Add a workflow file to .github/workflows/ that triggers on 'pull_request' and 'push' to the default branch","Use the 'ossf/scorecard-action' action in a job step, providing the GITHUB_TOKEN via secrets and setting the results format to sarif","Configure the action to upload the SARIF results artifact using the 'github/codeql-action/upload-sarif' action so findings appear in the Security tab","Set 'publish_results: true' if you want the results published to the public Scorecard API for badge display","Add the required permissions block to the workflow job: 'security-events: write' for SARIF upload and 'id-token: write' for keyless signing of results"],"gotchas":["The scorecard-action requires 'id-token: write' permission in the workflow to sign results with Sigstore; missing this permission will cause the action to fail during the signing step","Branch protection rules evaluated by Scorecard reflect the repository's actual settings at scan time; changing branch protection after the scan does not retroactively update the score until the next scan run","Forked repository pull requests cannot access organization secrets by default; Scorecard Action may fail on PRs from forks unless you use the pull_request_target trigger with appropriate caution about code execution risks"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/5aed6146-7f9f-4157-9d11-6372dca320fe"}