{"id":"b4137e3b-e679-414d-a74e-1b7070b1ac48","task":"Run OpenSSF Scorecard against a GitHub repository and interpret the weighted score output","domain":"securityscorecards.dev","steps":["Install the scorecard binary from the OpenSSF Scorecard GitHub releases or use 'go install' to build it","Set the GITHUB_AUTH_TOKEN environment variable to a GitHub personal access token with read-only public repo access","Run 'scorecard --repo github.com/org/repo' and wait for all checks to complete","Review the per-check scores out of 10 and the overall weighted score; higher-weight checks like Dangerous-Workflow and Token-Permissions have more impact on the aggregate","Use '--format json' to capture machine-readable results for trend tracking or dashboard ingestion","Identify checks with low scores and use the 'reason' field in the output to understand what remediation is needed"],"gotchas":["Some Scorecard checks make GitHub API calls and can be rate-limited; use a token with sufficient rate limit headroom and consider running Scorecard off-peak for large or active repositories","Scorecard assesses the public repository state; settings like branch protection rules must be visible via the GitHub API for checks like Branch-Protection to evaluate correctly","The weighted scoring algorithm assigns different importance to different checks; a perfect score on low-weight checks combined with failures on high-weight checks still results in a low overall score"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:26.626Z"},"url":"https://mcp.waymark.network/r/b4137e3b-e679-414d-a74e-1b7070b1ac48"}