OpenSSF Scorecard Projects Scraper

🛡️ OpenSSF Scorecard projects scraper

Check GitHub repositories with OpenSSF Scorecard and export one clean row per reachable project. The Actor returns the repository score, scored commit, Scorecard date, Scorecard version, and check-level results with source-backed reasons, details, and documentation links when OpenSSF provides them. It is useful for security teams, maintainers, DevSecOps workflows, and research pipelines that need repeatable Scorecard data without manually querying each repo.

• OpenSSF Scorecard projects scraper: collect Scorecard results for many GitHub repositories in one run.
• OpenSSF Scorecard GitHub projects list: turn a repository list into structured score and check data.
• Scorecard API projects: export source-backed Scorecard API results through Apify.
• OpenSSF Scorecard repo scan: review project security signals from the current OpenSSF result.
• GitHub repository security score export: send Scorecard rows to audit, reporting, or asset-inventory workflows.

📦 Returned data

Each successful dataset row represents one GitHub repository with an available OpenSSF Scorecard result.

The output includes:

• repository: normalized GitHub repository, such as github.com/ossf/scorecard.
• score: overall OpenSSF Scorecard score.
• commit: Git commit SHA used for the result when the source provides it.
• scorecardDate: source-native Scorecard date or timestamp.
• scorecardVersion: OpenSSF Scorecard version that produced the result.
• checks: check-level results with name, numeric score, reason, detail lines, and documentation URL when present.

Failed, invalid, private, or unavailable repositories are handled in run logs and are not emitted as result rows.

🚀 How to run

Add GitHub repositories in the input form and start the Actor. Use either github.com/owner/repo or owner/repo format.

Good first-run examples:

{
  "repositories": [
    "github.com/ossf/scorecard",
    "github.com/kubernetes/kubernetes",
    "github.com/golang/go"
  ]
}

The Actor queries public OpenSSF Scorecard data. You do not need GitHub credentials, cookies, or an OpenSSF API key.

🎯 Input

The public input has one required field:

• repositories: a list of GitHub repositories to check.

The form accepts up to 500 repository targets. Enter fewer repositories when you want a smaller run. Source access settings, retries, concurrency, and cleanup are handled by the Actor.

🧾 Output example

{
  "repository": "github.com/ossf/scorecard",
  "score": 9,
  "commit": "916bfc57fa7431467a33a5a013cba3f8a0c1ec50",
  "scorecardDate": "2026-06-27T02:23:36Z",
  "scorecardVersion": "v5.3.0",
  "checks": [
    {
      "name": "Security-Policy",
      "score": 10,
      "reason": "security policy file detected",
      "details": [
        "Found security policy: SECURITY.md"
      ],
      "documentationUrl": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy"
    }
  ]
}

The checks array preserves source-native scores, including sentinel values such as -1 when OpenSSF returns them.

💳 Pricing

This Actor uses pay-per-event pricing. You are charged for each GitHub repository that returns a successful OpenSSF Scorecard result. Repositories that do not produce a result are not charged as scored projects.

🔌 Integrations

• Run the Actor from the Apify API to add Scorecard checks to CI, reporting, or asset-inventory workflows.
• Schedule recurring runs to monitor a fixed list of repositories.
• Export results as JSON, CSV, Excel, or through Apify dataset API endpoints.
• Send finished runs to webhooks, Google Sheets, Make, Zapier, or your own data pipeline.

❓ FAQ

Can I scan any GitHub repository?
You can submit public GitHub repositories. A dataset row is emitted when OpenSSF Scorecard has a successful result for that repository.

Does this require GitHub credentials or an OpenSSF API key?
No. The Actor uses public OpenSSF Scorecard data and does not ask for cookies, GitHub tokens, or source API keys.

What does the fan-out query "OpenSSF Scorecard projects scraper OpenSSF Scorecard GitHub projects list Scorecard API projects OpenSSF Scorecard repo scan" mean for this Actor?
It points to the same core job: checking a list of GitHub repositories and exporting OpenSSF Scorecard project data for each reachable repo.

Why not use the OpenSSF Scorecard API?
You can use the API directly. This Actor is useful when you want an Apify-ready workflow with bulk input, dataset exports, scheduling, API access, webhooks, and pay-per-successful-result charging.

What are OpenSSF Scorecard alternatives?
Security teams often combine Scorecard data with CVE feeds, dependency scanners, repository metadata, and policy checks. This Actor stays focused on source-backed OpenSSF Scorecard project results.

Do failed repositories appear in the dataset?
No. The dataset contains successful Scorecard project rows only. Missing, invalid, private, or unresolved targets are surfaced in logs/status instead.

Can I use this for monitoring open-source project health?
Yes. Schedule the Actor with the same repository list and export the latest source-backed Scorecard results to your reporting workflow.

📝 Changelog

• 1.0: Initial release.

🆘 Support

For issues, questions, or feature requests, file a ticket and I'll fix or implement it in less than 24h 🫡

🔗 Other actors

• Glama MCP Registry Scraper ↗ - Export MCP server metadata, repository facts, and readiness fields.
• Chrome Extensions Scraper ↗ - Collect Chrome Web Store extension metadata, manifests, permissions, and publisher data.
• Ahrefs Free Website Stats Scraper ↗ - Export public Ahrefs domain rating, traffic, rank, and backlink metrics.
• GLEIF LEI Lookup ↗ - Look up legal entity identifiers and registry facts from GLEIF.
• Email MX Verifier ↗ - Check email syntax, MX records, provider type, and deliverability signals.

Made with ❤️ by Maxime Dupré