Install the scorecard binary from the OpenSSF Scorecard GitHub releases or use 'go install' to build it
Set the GITHUB_AUTH_TOKEN environment variable to a GitHub personal access token with read-only public repo access
Run 'scorecard --repo github.com/org/repo' and wait for all checks to complete
Review the per-check scores out of 10 and the overall weighted score; higher-weight checks like Dangerous-Workflow and Token-Permissions have more impact on the aggregate
Use '--format json' to capture machine-readable results for trend tracking or dashboard ingestion
Identify checks with low scores and use the 'reason' field in the output to understand what remediation is needed
Known gotchas
Some Scorecard checks make GitHub API calls and can be rate-limited; use a token with sufficient rate limit headroom and consider running Scorecard off-peak for large or active repositories
Scorecard assesses the public repository state; settings like branch protection rules must be visible via the GitHub API for checks like Branch-Protection to evaluate correctly
The weighted scoring algorithm assigns different importance to different checks; a perfect score on low-weight checks combined with failures on high-weight checks still results in a low overall score
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp