OpenSSF Scorecard Projects Scraper

Pricing

Rating

Developer

Actor stats

Categories

Share

Export OpenSSF Scorecard findings for public GitHub repositories at portfolio scale.

The actor calls the public OpenSSF Scorecard API and turns each repository scorecard into clean dataset rows for compliance, vendor-risk, DevSecOps, and open-source maintenance workflows.

What does OpenSSF Scorecard Projects Scraper do?

OpenSSF Scorecard Projects Scraper collects security health checks from api.securityscorecards.dev for the GitHub repositories you provide.

It returns one row per Scorecard check, including overall score, check score, reason, documentation URL, repository commit, scorecard version, and a normalized status.

Who is it for?

• 🛡️ Security teams reviewing third-party open-source dependencies.
• 📋 Compliance teams exporting recurring evidence for software supply-chain controls.
• 🧑‍💻 OSS maintainers monitoring their own repositories.
• 🏢 Vendor-risk teams checking GitHub projects before approval.
• 📊 Data teams feeding Scorecard findings into dashboards or risk registers.

Why use this actor?

The OpenSSF API is easy to call for one repository, but compliance workflows usually need repeatable exports for many repositories.

This actor adds batching, input normalization, dataset output, Apify scheduling, API access, and pay-per-result billing.

Data you can extract

How much does it cost to export OpenSSF Scorecard repository checks?

The actor uses pay-per-event pricing.

• A small start event is charged once per run.
• A result event is charged for each Scorecard check row saved to the dataset.
• OpenSSF checks are returned directly from a public API, so no browser or paid proxy is required by default.

Your final cost depends on how many repositories you submit and how many checks the Scorecard API returns for each repository.

How to use it

1. Add GitHub repositories to the repositories input.
2. Optionally paste a newline-separated list in repositoryList.
3. Set maxRepositories if you want a safety cap.
4. Run the actor.
5. Export the dataset as JSON, CSV, Excel, XML, or HTML.

Input

{
"repositories":[
"github.com/kubernetes/kubernetes",
"https://github.com/nodejs/node",
"golang/go"
],
"maxRepositories":100,
"failBelowScore":5,
"includeRawDetails":false,
"requestTimeoutSecs":30
}

Output example

{
"repository":"github.com/kubernetes/kubernetes",
"repositoryUrl":"https://github.com/kubernetes/kubernetes",
"owner":"kubernetes",
"repo":"kubernetes",
"scorecardDate":"2026-06-22",
"overallScore":7.6,
"repositoryCommit":"5bc6fe68c97de1497bdf0dc96f2041cc50f2e13e",
"scorecardVersion":"v5.5.1-0.20260519155427-916bfc57fa74",
"scorecardCommit":"916bfc57fa7431467a33a5a013cba3f8a0c1ec50",
"checkName":"Code-Review",
"checkScore":10,
"checkStatus":"pass",
"checkReason":"all changesets reviewed",
"documentationShort":"Determines if the project requires human code review before pull requests are merged.",
"documentationUrl":"https://github.com/ossf/scorecard/blob/.../docs/checks.md#code-review",
"apiUrl":"https://api.securityscorecards.dev/projects/github.com/kubernetes/kubernetes",
"scrapedAt":"2026-06-28T00:00:00.000Z"
}

Supported repository formats

You can provide repositories as:

• github.com/owner/repo
• https://github.com/owner/repo
• owner/repo

The actor normalizes all three formats before calling the OpenSSF Scorecard API.

Tips for best results

• Use public GitHub repositories only.
• Keep maxRepositories low for first tests.
• Schedule recurring runs to monitor score changes over time.
• Use includeRawDetails when you need full raw detail arrays for audits.
• Keep failBelowScore aligned with your internal policy threshold.

Integrations

Use this actor with:

• Apify schedules for weekly open-source risk monitoring.
• Apify webhooks to notify a compliance workflow when a run finishes.
• BI tools that import Apify dataset CSV or JSON exports.
• Security data lakes that aggregate dependency risk evidence.
• Vendor approval workflows that need Scorecard evidence for GitHub projects.

API usage

Run the actor with the Apify API from Node.js, Python, or cURL.

Node.js example

import{ ApifyClient }from'apify-client';
const client =newApifyClient({token: process.env.APIFY_TOKEN});
const run =await client.actor('automation-lab/openssf-scorecard-projects-scraper').call({
repositories:['github.com/kubernetes/kubernetes','github.com/nodejs/node'],
maxRepositories:10,
});
const{ items }=await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python example

from apify_client import ApifyClient
import os
client = ApifyClient(os.environ['APIFY_TOKEN'])
run = client.actor('automation-lab/openssf-scorecard-projects-scraper').call(run_input={
'repositories':['github.com/kubernetes/kubernetes','github.com/nodejs/node'],
'maxRepositories':10,
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

cURL example

curl-X POST "https://api.apify.com/v2/acts/automation-lab~openssf-scorecard-projects-scraper/runs?token=$APIFY_TOKEN"\
-H'Content-Type: application/json'\
-d'{"repositories":["github.com/kubernetes/kubernetes"],"maxRepositories":1}'

MCP: use from Claude Desktop or Claude Code

You can use this actor through the Apify MCP server.

MCP tool URL:

https://mcp.apify.com/?tools=automation-lab/openssf-scorecard-projects-scraper

Claude Code setup:

$claude mcp add apify-openssf-scorecard --transport http https://mcp.apify.com/?tools=automation-lab/openssf-scorecard-projects-scraper

Claude Desktop JSON config:

{
"mcpServers":{
"apify-openssf-scorecard":{
"url":"https://mcp.apify.com/?tools=automation-lab/openssf-scorecard-projects-scraper"
}
}
}

Example prompts:

• "Run OpenSSF Scorecard Projects Scraper for these GitHub repositories and summarize the failed checks."
• "Export Scorecard check rows for our dependency list and group them by checkStatus."
• "Monitor these OSS projects weekly and tell me which checks changed from pass to warn or fail."

Scheduling recurring monitoring

Open-source risk is not static.

Create an Apify schedule to run this actor weekly or monthly against the same repository portfolio. Then compare datasets by repository, checkName, and scorecardDate.

Error handling

If one repository fails, the actor logs a warning and continues with the remaining repositories.

The run fails only when no Scorecard check rows are saved. This makes it suitable for larger lists where one archived or unsupported repository should not stop the whole export.

Performance

The actor is HTTP/API-only and uses 256 MB memory by default.

No browser automation is used. No proxy is required by default.

Legality

This actor uses the public OpenSSF Scorecard API and public GitHub project identifiers supplied by the user.

You are responsible for using the data according to your policies, applicable law, and the OpenSSF/GitHub terms that apply to your workflow.

FAQ

Does it need a GitHub token?

No. The actor calls the public OpenSSF Scorecard API endpoint.

Why is a check score -1?

OpenSSF Scorecard uses negative scores for checks that are not available or not applicable. The actor normalizes those rows to checkStatus: not_available.

Can I scrape private repositories?

No. This actor is for public GitHub repositories supported by the public Scorecard API.

Why did my run save no rows?

Check that the repositories are public GitHub projects and that the input uses owner/repo, github.com/owner/repo, or a GitHub URL.

Related scrapers

Explore related Automation Lab actors at:

• https://apify.com/automation-lab
• https://apify.com/automation-lab/github-repositories-scraper
• https://apify.com/automation-lab/contact-info-scraper

Changelog

• Initial version: batch export of OpenSSF Scorecard check rows for public GitHub repositories.