{"id":"8cbc6b98-2d15-4de2-860c-8e7a3d7120ad","task":"Compute an OpenSSF Scorecard score for a GitHub repository and surface results in CI","domain":"securityscorecards.dev","steps":["Install the `scorecard` CLI from the OpenSSF releases","Run `scorecard --repo=github.com/<org>/<repo> --format json --output scorecard.json` — this requires a GitHub token with read access set as `GITHUB_AUTH_TOKEN`","Review scores for checks such as `Branch-Protection`, `Code-Review`, `Dependency-Update-Tool`, `Signed-Releases`, and `Token-Permissions`","Fail the pipeline if any check score is below an acceptable threshold using `jq` to parse the JSON output","Publish the Scorecard result to the public API with `--publish` to display a Scorecard badge in the repository README"],"gotchas":["Scorecard makes many GitHub API calls per run and can exhaust the unauthenticated rate limit quickly; always provide a token — a fine-grained PAT with `Read` access to the target repository is sufficient","Some checks (e.g., `Binary-Artifacts`, `Pinned-Dependencies`) require repository content access; Scorecard will skip checks it cannot evaluate and report them as `N/A`, which looks like a pass in some dashboards","The `--publish` flag submits results to the public OpenSSF Scorecard API; do not use it for private repositories or internal repositories whose metadata should not be publicly indexed"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/8cbc6b98-2d15-4de2-860c-8e7a3d7120ad"}