# OpenSSF Scorecard Projects Scraper (`maximedupre/openssf-scorecard-projects-scraper`) Actor OpenSSF Scorecard Projects Scraper checks GitHub repositories. Export scores, commits, Scorecard versions, check results, reasons, details, and documentation links. - **URL**: https://apify.com/maximedupre/openssf-scorecard-projects-scraper.md - **Developed by:** [Maxime Duprรฉ](https://apify.com/maximedupre) (community) - **Categories:** Developer tools, Business, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $17.10 / 1,000 scored projects This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ### ๐Ÿ›ก๏ธ OpenSSF Scorecard projects scraper Check GitHub repositories with OpenSSF Scorecard and export one clean row per reachable project. The Actor returns the repository score, scored commit, Scorecard date, Scorecard version, and check-level results with source-backed reasons, details, and documentation links when OpenSSF provides them. It is useful for security teams, maintainers, DevSecOps workflows, and research pipelines that need repeatable Scorecard data without manually querying each repo. - [OpenSSF Scorecard projects scraper](https://apify.com/maximedupre/openssf-scorecard-projects-scraper/examples/openssf-scorecard-projects-scraper): collect Scorecard results for many GitHub repositories in one run. - [OpenSSF Scorecard GitHub projects list](https://apify.com/maximedupre/openssf-scorecard-projects-scraper/examples/openssf-scorecard-github-projects-list): turn a repository list into structured score and check data. - [Scorecard API projects](https://apify.com/maximedupre/openssf-scorecard-projects-scraper/examples/scorecard-api-projects): export source-backed Scorecard API results through Apify. - [OpenSSF Scorecard repo scan](https://apify.com/maximedupre/openssf-scorecard-projects-scraper/examples/openssf-scorecard-repo-scan): review project security signals from the current OpenSSF result. - [GitHub repository security score export](https://apify.com/maximedupre/openssf-scorecard-projects-scraper/examples/github-repository-security-score-export): send Scorecard rows to audit, reporting, or asset-inventory workflows. #### ๐Ÿ“ฆ Returned data Each successful dataset row represents one GitHub repository with an available OpenSSF Scorecard result. The output includes: - `repository`: normalized GitHub repository, such as `github.com/ossf/scorecard`. - `score`: overall OpenSSF Scorecard score. - `commit`: Git commit SHA used for the result when the source provides it. - `scorecardDate`: source-native Scorecard date or timestamp. - `scorecardVersion`: OpenSSF Scorecard version that produced the result. - `checks`: check-level results with name, numeric score, reason, detail lines, and documentation URL when present. Failed, invalid, private, or unavailable repositories are handled in run logs and are not emitted as result rows. #### ๐Ÿš€ How to run Add GitHub repositories in the input form and start the Actor. Use either `github.com/owner/repo` or `owner/repo` format. Good first-run examples: ```json { "repositories": [ "github.com/ossf/scorecard", "github.com/kubernetes/kubernetes", "github.com/golang/go" ] } ```` The Actor queries public OpenSSF Scorecard data. You do not need GitHub credentials, cookies, or an OpenSSF API key. #### ๐ŸŽฏ Input The public input has one required field: - `repositories`: a list of GitHub repositories to check. The form accepts up to 500 repository targets. Enter fewer repositories when you want a smaller run. Source access settings, retries, concurrency, and cleanup are handled by the Actor. #### ๐Ÿงพ Output example ```json { "repository": "github.com/ossf/scorecard", "score": 9, "commit": "916bfc57fa7431467a33a5a013cba3f8a0c1ec50", "scorecardDate": "2026-06-27T02:23:36Z", "scorecardVersion": "v5.3.0", "checks": [ { "name": "Security-Policy", "score": 10, "reason": "security policy file detected", "details": [ "Found security policy: SECURITY.md" ], "documentationUrl": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy" } ] } ``` The `checks` array preserves source-native scores, including sentinel values such as `-1` when OpenSSF returns them. #### ๐Ÿ’ณ Pricing This Actor uses pay-per-event pricing. You are charged for each GitHub repository that returns a successful OpenSSF Scorecard result. Repositories that do not produce a result are not charged as scored projects. #### ๐Ÿ”Œ Integrations https://www.youtube.com/watch?v=bNACk1\_S\_6w\&list=PLObrtcm1Kw6MUrlLNDbK9QRg8VDJg0gOW\&index=4 - Run the Actor from the Apify API to add Scorecard checks to CI, reporting, or asset-inventory workflows. - Schedule recurring runs to monitor a fixed list of repositories. - Export results as JSON, CSV, Excel, or through Apify dataset API endpoints. - Send finished runs to webhooks, Google Sheets, Make, Zapier, or your own data pipeline. #### โ“ FAQ **Can I scan any GitHub repository?**\ You can submit public GitHub repositories. A dataset row is emitted when OpenSSF Scorecard has a successful result for that repository. **Does this require GitHub credentials or an OpenSSF API key?**\ No. The Actor uses public OpenSSF Scorecard data and does not ask for cookies, GitHub tokens, or source API keys. **What does the fan-out query "OpenSSF Scorecard projects scraper OpenSSF Scorecard GitHub projects list Scorecard API projects OpenSSF Scorecard repo scan" mean for this Actor?**\ It points to the same core job: checking a list of GitHub repositories and exporting OpenSSF Scorecard project data for each reachable repo. **Why not use the OpenSSF Scorecard API?**\ You can use the API directly. This Actor is useful when you want an Apify-ready workflow with bulk input, dataset exports, scheduling, API access, webhooks, and pay-per-successful-result charging. **What are OpenSSF Scorecard alternatives?**\ Security teams often combine Scorecard data with CVE feeds, dependency scanners, repository metadata, and policy checks. This Actor stays focused on source-backed OpenSSF Scorecard project results. **Do failed repositories appear in the dataset?**\ No. The dataset contains successful Scorecard project rows only. Missing, invalid, private, or unresolved targets are surfaced in logs/status instead. **Can I use this for monitoring open-source project health?**\ Yes. Schedule the Actor with the same repository list and export the latest source-backed Scorecard results to your reporting workflow. ### ๐Ÿ“ Changelog - 1.0: Initial release. ### ๐Ÿ†˜ Support For issues, questions, or feature requests, [file a ticket](https://console.apify.com/actors/maximedupre~openssf-scorecard-projects-scraper/issues) and I'll fix or implement it in less than 24h ๐Ÿซก ### ๐Ÿ”— Other actors - [Glama MCP Registry Scraper โ†—](https://apify.com/maximedupre/glama-mcp-registry-scraper) - Export MCP server metadata, repository facts, and readiness fields. - [Chrome Extensions Scraper โ†—](https://apify.com/maximedupre/chrome-extensions-scraper) - Collect Chrome Web Store extension metadata, manifests, permissions, and publisher data. - [Ahrefs Free Website Stats Scraper โ†—](https://apify.com/maximedupre/ahrefs-free-website-stats-scraper) - Export public Ahrefs domain rating, traffic, rank, and backlink metrics. - [GLEIF LEI Lookup โ†—](https://apify.com/maximedupre/gleif-lei-lookup) - Look up legal entity identifiers and registry facts from GLEIF. - [Email MX Verifier โ†—](https://apify.com/maximedupre/email-mx-verifier) - Check email syntax, MX records, provider type, and deliverability signals. **Made with โค๏ธ by Maxime Duprรฉ** # Actor input Schema ## `repositories` (type: `array`): Add one GitHub repository per row. Use `owner/repo` or `github.com/owner/repo`. ## Actor input object example ```json { "repositories": [ "github.com/ossf/scorecard", "github.com/kubernetes/kubernetes", "github.com/golang/go", "github.com/nodejs/node", "github.com/facebook/react" ] } ``` # Actor output Schema ## `results` (type: `string`): Repository scores, commits, Scorecard versions, check results, reasons, details, and documentation links. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "repositories": [ "github.com/ossf/scorecard", "github.com/kubernetes/kubernetes", "github.com/golang/go", "github.com/nodejs/node", "github.com/facebook/react" ] }; // Run the Actor and wait for it to finish const run = await client.actor("maximedupre/openssf-scorecard-projects-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "repositories": [ "github.com/ossf/scorecard", "github.com/kubernetes/kubernetes", "github.com/golang/go", "github.com/nodejs/node", "github.com/facebook/react", ] } # Run the Actor and wait for it to finish run = client.actor("maximedupre/openssf-scorecard-projects-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "repositories": [ "github.com/ossf/scorecard", "github.com/kubernetes/kubernetes", "github.com/golang/go", "github.com/nodejs/node", "github.com/facebook/react" ] }' | apify call maximedupre/openssf-scorecard-projects-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=maximedupre/openssf-scorecard-projects-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "OpenSSF Scorecard Projects Scraper", "description": "OpenSSF Scorecard Projects Scraper checks GitHub repositories. Export scores, commits, Scorecard versions, check results, reasons, details, and documentation links.", "version": "1.0", "x-build-id": "OUODwRNbYeoHKqCv0" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/maximedupre~openssf-scorecard-projects-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-maximedupre-openssf-scorecard-projects-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/maximedupre~openssf-scorecard-projects-scraper/runs": { "post": { "operationId": "runs-sync-maximedupre-openssf-scorecard-projects-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/maximedupre~openssf-scorecard-projects-scraper/run-sync": { "post": { "operationId": "run-sync-maximedupre-openssf-scorecard-projects-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "repositories" ], "properties": { "repositories": { "title": "GitHub repositories", "minItems": 1, "maxItems": 500, "type": "array", "description": "Add one GitHub repository per row. Use `owner/repo` or `github.com/owner/repo`.", "items": { "type": "string" } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```