Install the `scorecard` CLI from the OpenSSF releases
Run `scorecard --repo=github.com/<org>/<repo> --format json --output scorecard.json` — this requires a GitHub token with read access set as `GITHUB_AUTH_TOKEN`
Review scores for checks such as `Branch-Protection`, `Code-Review`, `Dependency-Update-Tool`, `Signed-Releases`, and `Token-Permissions`
Fail the pipeline if any check score is below an acceptable threshold using `jq` to parse the JSON output
Publish the Scorecard result to the public API with `--publish` to display a Scorecard badge in the repository README
Known gotchas
Scorecard makes many GitHub API calls per run and can exhaust the unauthenticated rate limit quickly; always provide a token — a fine-grained PAT with `Read` access to the target repository is sufficient
Some checks (e.g., `Binary-Artifacts`, `Pinned-Dependencies`) require repository content access; Scorecard will skip checks it cannot evaluate and report them as `N/A`, which looks like a pass in some dashboards
The `--publish` flag submits results to the public OpenSSF Scorecard API; do not use it for private repositories or internal repositories whose metadata should not be publicly indexed
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp