Can I use OpenSSF Scorecard as a CLI?

Yes. KosmoKrator exposes a OpenSSF Scorecard CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose OpenSSF Scorecard through MCP?

Yes. The KosmoKrator MCP gateway can expose selected OpenSSF Scorecard tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are OpenSSF Scorecard credentials stored?

OpenSSF Scorecard credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for OpenSSF Scorecard MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

OpenSSF Scorecard Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the OpenSSF Scorecard KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.openssf_scorecard.*. Use lua_read_doc("integrations.openssf-scorecard") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic OpenSSF Scorecard workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.openssf_scorecard.result({}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("openssf-scorecard"))' --json
kosmo integrations:lua --eval 'print(docs.read("openssf-scorecard.result"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local openssf_scorecard = app.integrations.openssf_scorecard
local result = openssf_scorecard.result({})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.openssf_scorecard, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.openssf_scorecard.default.* or app.integrations.openssf_scorecard.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need OpenSSF Scorecard, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

OpenSSF Scorecard

Namespace: openssf-scorecard

Use this integration to retrieve published OpenSSF Scorecard results for open source repositories, inspect individual security checks, fetch badge SVGs, and build viewer URLs.

Authentication

The published OpenSSF Scorecard API is public and requires no credentials.

Tools

openssf_scorecard_result: retrieves the published JSON result for a repository. Pass uri = "github.com/org/repo" or platform, org, and repo. The optional commit parameter selects a specific 40-character SHA.
openssf_scorecard_check: retrieves one check from the result, such as Maintained, Security-Policy, Code-Review, or Vulnerabilities.
openssf_scorecard_badge: retrieves the badge SVG. Optional style values are plastic, flat, flat-square, for-the-badge, and social.
openssf_scorecard_viewer_url: builds a public viewer URL for the repository.

Return Notes

openssf_scorecard_result keeps the API response field names intact. Results include date, repo, scorecard, aggregate score, and checks.

Each check includes fields such as name, score, reason, details, and documentation. Not every repository has a published result; the API only serves projects that have published Scorecard output.

Examples

local result = tools.openssf_scorecard_result({
  uri = "github.com/ossf/scorecard"
})

local security_policy = tools.openssf_scorecard_check({
  uri = "github.com/ossf/scorecard",
  check = "Security-Policy"
})

local badge = tools.openssf_scorecard_badge({
  uri = "github.com/ossf/scorecard",
  style = "flat"
})

Scores are useful supply-chain signals, not absolute safety guarantees. Inspect individual check reasons and details before drawing conclusions.

Raw agent markdown

# OpenSSF Scorecard

Namespace: `openssf-scorecard`

Use this integration to retrieve published OpenSSF Scorecard results for open
source repositories, inspect individual security checks, fetch badge SVGs, and
build viewer URLs.

## Authentication

The published OpenSSF Scorecard API is public and requires no credentials.

## Tools

- `openssf_scorecard_result`: retrieves the published JSON result for a
  repository. Pass `uri = "github.com/org/repo"` or `platform`, `org`, and
  `repo`. The optional `commit` parameter selects a specific 40-character SHA.
- `openssf_scorecard_check`: retrieves one check from the result, such as
  `Maintained`, `Security-Policy`, `Code-Review`, or `Vulnerabilities`.
- `openssf_scorecard_badge`: retrieves the badge SVG. Optional `style` values
  are `plastic`, `flat`, `flat-square`, `for-the-badge`, and `social`.
- `openssf_scorecard_viewer_url`: builds a public viewer URL for the repository.

## Return Notes

`openssf_scorecard_result` keeps the API response field names intact. Results
include `date`, `repo`, `scorecard`, aggregate `score`, and `checks`.

Each check includes fields such as `name`, `score`, `reason`, `details`, and
`documentation`. Not every repository has a published result; the API only
serves projects that have published Scorecard output.

## Examples

```lua
local result = tools.openssf_scorecard_result({
  uri = "github.com/ossf/scorecard"
})

local security_policy = tools.openssf_scorecard_check({
  uri = "github.com/ossf/scorecard",
  check = "Security-Policy"
})

local badge = tools.openssf_scorecard_badge({
  uri = "github.com/ossf/scorecard",
  style = "flat"
})
```

Scores are useful supply-chain signals, not absolute safety guarantees. Inspect
individual check reasons and details before drawing conclusions.

Metadata-derived Lua example

local result = app.integrations.openssf_scorecard.result({})
print(result)

Functions

result Read

Retrieve a published repository Scorecard result.

Lua path: app.integrations.openssf_scorecard.result
Full name: openssf-scorecard.openssf_scorecard_result

Parameter	Type	Required	Description
No parameters.

check Read

Retrieve one check from a published Scorecard result.

Lua path: app.integrations.openssf_scorecard.check
Full name: openssf-scorecard.openssf_scorecard_check

Parameter	Type	Required	Description
No parameters.

badge Read

Retrieve the OpenSSF Scorecard badge SVG.

Lua path: app.integrations.openssf_scorecard.badge
Full name: openssf-scorecard.openssf_scorecard_badge

Parameter	Type	Required	Description
No parameters.

viewer_url Read

Build the public Scorecard viewer URL for a repository.

Lua path: app.integrations.openssf_scorecard.viewer_url
Full name: openssf-scorecard.openssf_scorecard_viewer_url

Parameter	Type	Required	Description
No parameters.