diff --git a/components/enrichers/custom-annotation/main.go b/components/enrichers/custom-annotation/main.go
index 066f1e3af..cbdecfcb5 100644
--- a/components/enrichers/custom-annotation/main.go
+++ b/components/enrichers/custom-annotation/main.go
@@ -69,9 +69,8 @@ func run(name, annotations string) error {
 }
 
 func main() {
-	flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", ""), "what are the annotations this enricher will add to the issues")
+	flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", "{}"), "what are the annotations this enricher will add to the issues")
 	flag.StringVar(&name, "annotation-name", enrichers.LookupEnvOrString("NAME", defaultName), "what is the name this enricher will masquerade as")
-
 	if err := enrichers.ParseFlags(); err != nil {
 		log.Fatal(err)
 	}
diff --git a/components/producers/ossf-scorecard/examples/scorecard-out.json b/components/producers/ossf-scorecard/examples/scorecard-out.json
new file mode 100644
index 000000000..5512ecbc1
--- /dev/null
+++ b/components/producers/ossf-scorecard/examples/scorecard-out.json
@@ -0,0 +1,350 @@
+{
+    "date": "2024-10-25T08:35:15Z",
+    "repo": {
+        "name": "github.com/smithy-security/smithy",
+        "commit": "086c18b8f4d749d4c5a98cc9a87825c8b038851e"
+    },
+    "scorecard": {
+        "version": "v5.0.0-74-g367426ed",
+        "commit": "367426ed5d9cc62f4944dc4a2174f3bbb5e22169"
+    },
+    "score": 5.7,
+    "checks": [
+        {
+            "details": null,
+            "score": 10,
+            "reason": "no binaries found in the repo",
+            "name": "Binary-Artifacts",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#binary-artifacts",
+                "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
+            }
+        },
+        {
+            "details": [
+                "Info: 'allow deletion' disabled on branch 'main'",
+                "Info: 'force pushes' disabled on branch 'main'",
+                "Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'",
+                "Warn: 'stale review dismissal' is disabled on branch 'main'",
+                "Warn: required approving review count is 1 on branch 'main'",
+                "Info: codeowner review is required on branch 'main'",
+                "Info: 'last push approval' is required to merge on branch 'main'",
+                "Info: 'up-to-date branches' is required to merge on branch 'main'",
+                "Warn: no status checks found to merge onto branch 'main'",
+                "Info: PRs are required in order to make changes on branch 'main'"
+            ],
+            "score": 6,
+            "reason": "branch protection is not maximal on development and all release branches",
+            "name": "Branch-Protection",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#branch-protection",
+                "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
+            }
+        },
+        {
+            "details": null,
+            "score": 10,
+            "reason": "9 out of 9 merged PRs checked by a CI test -- score normalized to 10",
+            "name": "CI-Tests",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#ci-tests",
+                "short": "Determines if the project runs tests before pull requests are merged."
+            }
+        },
+        {
+            "details": null,
+            "score": 0,
+            "reason": "no effort to earn an OpenSSF best practices badge detected",
+            "name": "CII-Best-Practices",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#cii-best-practices",
+                "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
+            }
+        },
+        {
+            "details": null,
+            "score": 10,
+            "reason": "all changesets reviewed",
+            "name": "Code-Review",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#code-review",
+                "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
+            }
+        },
+        {
+            "details": [
+                "Info: p5-net-ssleay contributor org/company found, montrealrb contributor org/company found, team-ramrod contributor org/company found, thought-machine contributor org/company found, https://smithy.security contributor org/company found, HackHPI contributor org/company found, smithy-security contributor org/company found, velocity-ci contributor org/company found, oauth2-proxy contributor org/company found, stealth startup contributor org/company found, jpmorganchase contributor org/company found, railsbridge-montreal contributor org/company found, "
+            ],
+            "score": 10,
+            "reason": "project has 12 contributing companies or organizations",
+            "name": "Contributors",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#contributors",
+                "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
+            }
+        },
+        {
+            "details": null,
+            "score": 10,
+            "reason": "no dangerous workflow patterns detected",
+            "name": "Dangerous-Workflow",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#dangerous-workflow",
+                "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
+            }
+        },
+        {
+            "details": [
+                "Info: detected update tool: Dependabot: :0"
+            ],
+            "score": 10,
+            "reason": "update tool detected",
+            "name": "Dependency-Update-Tool",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#dependency-update-tool",
+                "short": "Determines if the project uses a dependency update tool."
+            }
+        },
+        {
+            "details": [
+                "Warn: no fuzzer integrations found"
+            ],
+            "score": 0,
+            "reason": "project is not fuzzed",
+            "name": "Fuzzing",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#fuzzing",
+                "short": "Determines if the project uses fuzzing."
+            }
+        },
+        {
+            "details": [
+                "Info: project has a license file: LICENSE:0",
+                "Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"
+            ],
+            "score": 10,
+            "reason": "license file detected",
+            "name": "License",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#license",
+                "short": "Determines if the project has defined a license."
+            }
+        },
+        {
+            "details": null,
+            "score": 10,
+            "reason": "30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10",
+            "name": "Maintained",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#maintained",
+                "short": "Determines if the project is \"actively maintained\"."
+            }
+        },
+        {
+            "details": [
+                "Warn: no GitHub/GitLab publishing workflow detected."
+            ],
+            "score": -1,
+            "reason": "packaging workflow not detected",
+            "name": "Packaging",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#packaging",
+                "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
+            }
+        },
+        {
+            "details": [
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/format.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/format.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/format.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/format.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/publish.yml/main?enable=pin",
+                "Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/publish.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin",
+                "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin",
+                "Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin",
+                "Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin",
+                "Warn: containerImage not pinned by hash: components/consumers/pdf/Dockerfile:1: pin your Docker image by updating golang:1.22-bookworm to golang:1.22-bookworm@sha256:3f0457a0a56a926d93c2baf4cf0057a645e8ff69ff31314080fcc62389643b8e",
+                "Warn: containerImage not pinned by hash: components/producers/typescript-eslint/eslint-wrapper/Dockerfile:2",
+                "Warn: containerImage not pinned by hash: containers/Dockerfile.base:1",
+                "Warn: containerImage not pinned by hash: containers/Dockerfile.buf:4",
+                "Warn: containerImage not pinned by hash: containers/Dockerfile.buf:10",
+                "Warn: containerImage not pinned by hash: containers/Dockerfile.smithyctl:3",
+                "Warn: npmCommand not pinned by hash: components/producers/typescript-eslint/eslint-wrapper/Dockerfile:10-16",
+                "Warn: goCommand not pinned by hash: vendor/github.com/json-iterator/go/build.sh:10",
+                "Warn: goCommand not pinned by hash: vendor/github.com/pelletier/go-toml/benchmark.sh:10",
+                "Warn: goCommand not pinned by hash: vendor/google.golang.org/grpc/regenerate.sh:35",
+                "Warn: goCommand not pinned by hash: vendor/google.golang.org/grpc/vet.sh:37",
+                "Warn: goCommand not pinned by hash: .github/workflows/lint.yml:39",
+                "Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned",
+                "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
+                "Info:   0 out of   6 containerImage dependencies pinned",
+                "Info:   4 out of   9 goCommand dependencies pinned",
+                "Info:   0 out of   1 npmCommand dependencies pinned"
+            ],
+            "score": 2,
+            "reason": "dependency not pinned by hash detected -- score normalized to 2",
+            "name": "Pinned-Dependencies",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#pinned-dependencies",
+                "short": "Determines if the project has declared and pinned the dependencies of its build process."
+            }
+        },
+        {
+            "details": [
+                "Warn: 0 commits out of 30 are checked with a SAST tool"
+            ],
+            "score": 0,
+            "reason": "SAST tool is not run on all commits -- score normalized to 0",
+            "name": "SAST",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#sast",
+                "short": "Determines if the project uses static code analysis."
+            }
+        },
+        {
+            "details": [
+                "Warn: no security policy file detected",
+                "Warn: no security file to analyze",
+                "Warn: no security file to analyze",
+                "Warn: no security file to analyze"
+            ],
+            "score": 0,
+            "reason": "security policy file not detected",
+            "name": "Security-Policy",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#security-policy",
+                "short": "Determines if the project has published a security policy."
+            }
+        },
+        {
+            "details": null,
+            "score": -1,
+            "reason": "no releases found",
+            "name": "Signed-Releases",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#signed-releases",
+                "short": "Determines if the project cryptographically signs release artifacts."
+            }
+        },
+        {
+            "details": [
+                "Info: topLevel 'contents' permission set to 'read': .github/workflows/format.yml:10",
+                "Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:14",
+                "Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:9",
+                "Warn: topLevel 'packages' permission set to 'write': .github/workflows/publish.yml:11",
+                "Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:13",
+                "Info: no jobLevel write permissions found"
+            ],
+            "score": 0,
+            "reason": "detected GitHub workflow tokens with excessive permissions",
+            "name": "Token-Permissions",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#token-permissions",
+                "short": "Determines if the project's workflows follow the principle of least privilege."
+            }
+        },
+        {
+            "details": [
+                "Warn: Project is vulnerable to: GHSA-3ww4-gg4f-jr7f",
+                "Warn: Project is vulnerable to: GHSA-5cpq-8wj7-hf2v",
+                "Warn: Project is vulnerable to: GHSA-9v9h-cgj8-h64p",
+                "Warn: Project is vulnerable to: PYSEC-2021-62 / GHSA-hggm-jpg3-v476",
+                "Warn: Project is vulnerable to: GHSA-jm77-qphf-c4w8",
+                "Warn: Project is vulnerable to: GHSA-v8gr-m533-ghj9",
+                "Warn: Project is vulnerable to: GHSA-w7pp-m8wf-vj6r",
+                "Warn: Project is vulnerable to: GHSA-x4qr-2fvf-3mr5",
+                "Warn: Project is vulnerable to: PYSEC-2021-98 / GHSA-68w8-qjq3-2gfm",
+                "Warn: Project is vulnerable to: GHSA-8x94-hmjh-97hq",
+                "Warn: Project is vulnerable to: GHSA-rrqc-c2jx-6jgv",
+                "Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq",
+                "Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8",
+                "Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq",
+                "Warn: Project is vulnerable to: PYSEC-2020-62 / GHSA-pgww-xf46-h92r",
+                "Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w",
+                "Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6",
+                "Warn: Project is vulnerable to: GHSA-6p56-wp2h-9hxr",
+                "Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf",
+                "Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f",
+                "Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm",
+                "Warn: Project is vulnerable to: PYSEC-2020-73",
+                "Warn: Project is vulnerable to: GHSA-3f63-hfp8-52jq",
+                "Warn: Project is vulnerable to: PYSEC-2021-41 / GHSA-3wvg-mj6g-m9cv",
+                "Warn: Project is vulnerable to: GHSA-3xv8-3j54-hgrp",
+                "Warn: Project is vulnerable to: PYSEC-2020-80 / GHSA-43fq-w8qq-v88h",
+                "Warn: Project is vulnerable to: GHSA-44wm-f244-xhp3",
+                "Warn: Project is vulnerable to: GHSA-4fx9-vc88-q2xc",
+                "Warn: Project is vulnerable to: GHSA-56pw-mpj4-fxww",
+                "Warn: Project is vulnerable to: PYSEC-2021-35 / GHSA-57h3-9rgr-c24m",
+                "Warn: Project is vulnerable to: PYSEC-2020-172 / GHSA-5gm3-px64-rw72",
+                "Warn: Project is vulnerable to: PYSEC-2021-331 / GHSA-7534-mm45-c74v",
+                "Warn: Project is vulnerable to: PYSEC-2021-137 / GHSA-77gc-v2xv-rvvh",
+                "Warn: Project is vulnerable to: PYSEC-2021-92 / GHSA-7r7m-5h27-29hp",
+                "Warn: Project is vulnerable to: GHSA-8843-m7mw-mxqm",
+                "Warn: Project is vulnerable to: PYSEC-2023-227 / GHSA-8ghj-p4vj-mr35",
+                "Warn: Project is vulnerable to: PYSEC-2022-10 / GHSA-8vj2-vxx3-667w",
+                "Warn: Project is vulnerable to: PYSEC-2021-36 / GHSA-8xjq-8fcg-g5hw",
+                "Warn: Project is vulnerable to: PYSEC-2021-42 / GHSA-95q3-8gr9-gm8w",
+                "Warn: Project is vulnerable to: PYSEC-2021-317 / GHSA-98vv-pw6r-q6q4",
+                "Warn: Project is vulnerable to: PYSEC-2021-38 / GHSA-9hx2-hgq2-2g4f",
+                "Warn: Project is vulnerable to: PYSEC-2022-168 / GHSA-9j59-75qj-795w",
+                "Warn: Project is vulnerable to: PYSEC-2020-76 / GHSA-cqhg-xjhh-p8hf",
+                "Warn: Project is vulnerable to: PYSEC-2021-40 / GHSA-f4w8-cv6p-x6r5",
+                "Warn: Project is vulnerable to: PYSEC-2021-69 / GHSA-f5g8-5qq7-938w",
+                "Warn: Project is vulnerable to: PYSEC-2021-139 / GHSA-g6rj-rv7j-xwp4",
+                "Warn: Project is vulnerable to: PYSEC-2021-71 / GHSA-hf64-x4gq-p99h",
+                "Warn: Project is vulnerable to: PYSEC-2020-84 / GHSA-hj69-c76v-86wr",
+                "Warn: Project is vulnerable to: PYSEC-2021-94 / GHSA-hjfx-8p6c-g7gx",
+                "Warn: Project is vulnerable to: GHSA-j7hp-h8jx-5ppr",
+                "Warn: Project is vulnerable to: PYSEC-2019-110 / GHSA-j7mj-748x-7p78",
+                "Warn: Project is vulnerable to: GHSA-jgpv-4h4c-xhw3",
+                "Warn: Project is vulnerable to: PYSEC-2022-42979 / GHSA-m2vv-5vj5-2hm7",
+                "Warn: Project is vulnerable to: PYSEC-2021-37 / GHSA-mvg9-xffr-p774",
+                "Warn: Project is vulnerable to: PYSEC-2021-39 / GHSA-p43w-g3c5-g5mq",
+                "Warn: Project is vulnerable to: PYSEC-2020-83 / GHSA-p49h-hjvm-jg3h",
+                "Warn: Project is vulnerable to: PYSEC-2022-8 / GHSA-pw3c-h7wp-cvhx",
+                "Warn: Project is vulnerable to: PYSEC-2021-93 / GHSA-q5hq-fp76-qmrc",
+                "Warn: Project is vulnerable to: PYSEC-2020-82 / GHSA-r7rm-8j6h-r933",
+                "Warn: Project is vulnerable to: PYSEC-2021-138 / GHSA-rwv7-3v45-hg29",
+                "Warn: Project is vulnerable to: PYSEC-2020-81 / GHSA-vcqg-3p29-xw73",
+                "Warn: Project is vulnerable to: PYSEC-2020-79 / GHSA-vj42-xq3r-hr3r",
+                "Warn: Project is vulnerable to: PYSEC-2021-70 / GHSA-vqcj-wrf2-7v73",
+                "Warn: Project is vulnerable to: PYSEC-2022-9 / GHSA-xrcv-f9gm-v42c",
+                "Warn: Project is vulnerable to: PYSEC-2020-77",
+                "Warn: Project is vulnerable to: PYSEC-2020-78",
+                "Warn: Project is vulnerable to: PYSEC-2023-175",
+                "Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56",
+                "Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q",
+                "Warn: Project is vulnerable to: PYSEC-2020-107 / GHSA-jjw5-xxj6-pcv5",
+                "Warn: Project is vulnerable to: PYSEC-2024-110 / GHSA-jw8x-6495-233v",
+                "Warn: Project is vulnerable to: PYSEC-2020-108",
+                "Warn: Project is vulnerable to: PYSEC-2023-102",
+                "Warn: Project is vulnerable to: PYSEC-2023-114",
+                "Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf",
+                "Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4",
+                "Warn: Project is vulnerable to: PYSEC-2023-207 / GHSA-gwvm-45gx-3cf8",
+                "Warn: Project is vulnerable to: PYSEC-2019-133 / GHSA-mh33-7rrq-662w",
+                "Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp",
+                "Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f",
+                "Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24",
+                "Warn: Project is vulnerable to: PYSEC-2021-108",
+                "Warn: Project is vulnerable to: GO-2022-0646 / GHSA-7f33-f4f5-xwgw / GHSA-f5pg-7wfw-84q9",
+                "Warn: Project is vulnerable to: GHSA-3vp4-m3rf-835h",
+                "Warn: Project is vulnerable to: GO-2023-1737 / GHSA-2c4m-59x9-fr2g",
+                "Warn: Project is vulnerable to: GO-2022-0322 / GHSA-cg3q-j54f-5p7p",
+                "Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3",
+                "Warn: Project is vulnerable to: GO-2022-0391 / GHSA-6jvc-q2x7-pchv / GHSA-76wf-9vgp-pj7w",
+                "Warn: Project is vulnerable to: GO-2023-1901"
+            ],
+            "score": 0,
+            "reason": "89 existing vulnerabilities detected",
+            "name": "Vulnerabilities",
+            "documentation": {
+                "url": "https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#vulnerabilities",
+                "short": "Determines if the project has open, known unfixed vulnerabilities."
+            }
+        }
+    ],
+    "metadata": null
+}
diff --git a/components/producers/ossf-scorecard/examples/scorecard-out.pb b/components/producers/ossf-scorecard/examples/scorecard-out.pb
new file mode 100644
index 000000000..fd8730665
--- /dev/null
+++ b/components/producers/ossf-scorecard/examples/scorecard-out.pb
@@ -0,0 +1,21 @@
+
+���ۂ��	scorecard�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eBinary-Artifactsno binaries found in the repo :�{"score":10,"reason":"no binaries found in the repo","name":"Binary-Artifacts","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#binary-artifacts","short":"Determines if the project has generated executable (binary) artifacts in the source repository."}}Bunknown�	
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eBranch-ProtectionHbranch protection is not maximal on development and all release branches :�{"details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"score":6,"reason":"branch protection is not maximal on development and all release branches","name":"Branch-Protection","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#branch-protection","short":"Determines if the default and release branches are protected with GitHub's branch protection settings."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eCI-TestsD9 out of 9 merged PRs checked by a CI test -- score normalized to 10 :�{"score":10,"reason":"9 out of 9 merged PRs checked by a CI test -- score normalized to 10","name":"CI-Tests","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#ci-tests","short":"Determines if the project runs tests before pull requests are merged."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eCII-Best-Practices:no effort to earn an OpenSSF best practices badge detected :�{"reason":"no effort to earn an OpenSSF best practices badge detected","name":"CII-Best-Practices","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#cii-best-practices","short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eCode-Reviewall changesets reviewed :�{"score":10,"reason":"all changesets reviewed","name":"Code-Review","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#code-review","short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eContributors6project has 12 contributing companies or organizations :�{"details":["Info: p5-net-ssleay contributor org/company found, montrealrb contributor org/company found, team-ramrod contributor org/company found, thought-machine contributor org/company found, https://smithy.security contributor org/company found, HackHPI contributor org/company found, smithy-security contributor org/company found, velocity-ci contributor org/company found, oauth2-proxy contributor org/company found, stealth startup contributor org/company found, jpmorganchase contributor org/company found, railsbridge-montreal contributor org/company found, "],"score":10,"reason":"project has 12 contributing companies or organizations","name":"Contributors","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#contributors","short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies)."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eDangerous-Workflow'no dangerous workflow patterns detected :�{"score":10,"reason":"no dangerous workflow patterns detected","name":"Dangerous-Workflow","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#dangerous-workflow","short":"Determines if the project's GitHub Action workflows avoid dangerous patterns."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eDependency-Update-Toolupdate tool detected :�{"details":["Info: detected update tool: Dependabot: :0"],"score":10,"reason":"update tool detected","name":"Dependency-Update-Tool","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#dependency-update-tool","short":"Determines if the project uses a dependency update tool."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eFuzzingproject is not fuzzed :�{"details":["Warn: no fuzzer integrations found"],"reason":"project is not fuzzed","name":"Fuzzing","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#fuzzing","short":"Determines if the project uses fuzzing."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eLicenselicense file detected :�{"details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"score":10,"reason":"license file detected","name":"License","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#license","short":"Determines if the project has defined a license."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851e
+MaintainedU30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 :�{"score":10,"reason":"30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10","name":"Maintained","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#maintained","short":"Determines if the project is \"actively maintained\"."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851e	Packagingpackaging workflow not detected:�{"details":["Warn: no GitHub/GitLab publishing workflow detected."],"score":-1,"reason":"packaging workflow not detected","name":"Packaging","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#packaging","short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."}}Bunknown�!
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851ePinned-Dependencies?dependency not pinned by hash detected -- score normalized to 2 :�{"details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/format.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/format.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/format.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/format.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/smithy-security/smithy/test.yml/main?enable=pin","Warn: containerImage not pinned by hash: components/consumers/pdf/Dockerfile:1: pin your Docker image by updating golang:1.22-bookworm to golang:1.22-bookworm@sha256:3f0457a0a56a926d93c2baf4cf0057a645e8ff69ff31314080fcc62389643b8e","Warn: containerImage not pinned by hash: components/producers/typescript-eslint/eslint-wrapper/Dockerfile:2","Warn: containerImage not pinned by hash: containers/Dockerfile.base:1","Warn: containerImage not pinned by hash: containers/Dockerfile.buf:4","Warn: containerImage not pinned by hash: containers/Dockerfile.buf:10","Warn: containerImage not pinned by hash: containers/Dockerfile.smithyctl:3","Warn: npmCommand not pinned by hash: components/producers/typescript-eslint/eslint-wrapper/Dockerfile:10-16","Warn: goCommand not pinned by hash: vendor/github.com/json-iterator/go/build.sh:10","Warn: goCommand not pinned by hash: vendor/github.com/pelletier/go-toml/benchmark.sh:10","Warn: goCommand not pinned by hash: vendor/google.golang.org/grpc/regenerate.sh:35","Warn: goCommand not pinned by hash: vendor/google.golang.org/grpc/vet.sh:37","Warn: goCommand not pinned by hash: .github/workflows/lint.yml:39","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   6 containerImage dependencies pinned","Info:   4 out of   9 goCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","name":"Pinned-Dependencies","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#pinned-dependencies","short":"Determines if the project has declared and pinned the dependencies of its build process."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eSAST<SAST tool is not run on all commits -- score normalized to 0 :�{"details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"reason":"SAST tool is not run on all commits -- score normalized to 0","name":"SAST","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#sast","short":"Determines if the project uses static code analysis."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eSecurity-Policy!security policy file not detected :�{"details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"reason":"security policy file not detected","name":"Security-Policy","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#security-policy","short":"Determines if the project has published a security policy."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eSigned-Releasesno releases found:�{"score":-1,"reason":"no releases found","name":"Signed-Releases","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#signed-releases","short":"Determines if the project cryptographically signs release artifacts."}}Bunknown�
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eToken-Permissions:detected GitHub workflow tokens with excessive permissions :�{"details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/format.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:14","Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:9","Warn: topLevel 'packages' permission set to 'write': .github/workflows/publish.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:13","Info: no jobLevel write permissions found"],"reason":"detected GitHub workflow tokens with excessive permissions","name":"Token-Permissions","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#token-permissions","short":"Determines if the project's workflows follow the principle of least privilege."}}Bunknown�0
+Jgithub.com/smithy-security/smithy:086c18b8f4d749d4c5a98cc9a87825c8b038851eVulnerabilities$89 existing vulnerabilities detected :�/{"details":["Warn: Project is vulnerable to: GHSA-3ww4-gg4f-jr7f","Warn: Project is vulnerable to: GHSA-5cpq-8wj7-hf2v","Warn: Project is vulnerable to: GHSA-9v9h-cgj8-h64p","Warn: Project is vulnerable to: PYSEC-2021-62 / GHSA-hggm-jpg3-v476","Warn: Project is vulnerable to: GHSA-jm77-qphf-c4w8","Warn: Project is vulnerable to: GHSA-v8gr-m533-ghj9","Warn: Project is vulnerable to: GHSA-w7pp-m8wf-vj6r","Warn: Project is vulnerable to: GHSA-x4qr-2fvf-3mr5","Warn: Project is vulnerable to: PYSEC-2021-98 / GHSA-68w8-qjq3-2gfm","Warn: Project is vulnerable to: GHSA-8x94-hmjh-97hq","Warn: Project is vulnerable to: GHSA-rrqc-c2jx-6jgv","Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq","Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8","Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq","Warn: Project is vulnerable to: PYSEC-2020-62 / GHSA-pgww-xf46-h92r","Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w","Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6","Warn: Project is vulnerable to: GHSA-6p56-wp2h-9hxr","Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf","Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f","Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm","Warn: Project is vulnerable to: PYSEC-2020-73","Warn: Project is vulnerable to: GHSA-3f63-hfp8-52jq","Warn: Project is vulnerable to: PYSEC-2021-41 / GHSA-3wvg-mj6g-m9cv","Warn: Project is vulnerable to: GHSA-3xv8-3j54-hgrp","Warn: Project is vulnerable to: PYSEC-2020-80 / GHSA-43fq-w8qq-v88h","Warn: Project is vulnerable to: GHSA-44wm-f244-xhp3","Warn: Project is vulnerable to: GHSA-4fx9-vc88-q2xc","Warn: Project is vulnerable to: GHSA-56pw-mpj4-fxww","Warn: Project is vulnerable to: PYSEC-2021-35 / GHSA-57h3-9rgr-c24m","Warn: Project is vulnerable to: PYSEC-2020-172 / GHSA-5gm3-px64-rw72","Warn: Project is vulnerable to: PYSEC-2021-331 / GHSA-7534-mm45-c74v","Warn: Project is vulnerable to: PYSEC-2021-137 / GHSA-77gc-v2xv-rvvh","Warn: Project is vulnerable to: PYSEC-2021-92 / GHSA-7r7m-5h27-29hp","Warn: Project is vulnerable to: GHSA-8843-m7mw-mxqm","Warn: Project is vulnerable to: PYSEC-2023-227 / GHSA-8ghj-p4vj-mr35","Warn: Project is vulnerable to: PYSEC-2022-10 / GHSA-8vj2-vxx3-667w","Warn: Project is vulnerable to: PYSEC-2021-36 / GHSA-8xjq-8fcg-g5hw","Warn: Project is vulnerable to: PYSEC-2021-42 / GHSA-95q3-8gr9-gm8w","Warn: Project is vulnerable to: PYSEC-2021-317 / GHSA-98vv-pw6r-q6q4","Warn: Project is vulnerable to: PYSEC-2021-38 / GHSA-9hx2-hgq2-2g4f","Warn: Project is vulnerable to: PYSEC-2022-168 / GHSA-9j59-75qj-795w","Warn: Project is vulnerable to: PYSEC-2020-76 / GHSA-cqhg-xjhh-p8hf","Warn: Project is vulnerable to: PYSEC-2021-40 / GHSA-f4w8-cv6p-x6r5","Warn: Project is vulnerable to: PYSEC-2021-69 / GHSA-f5g8-5qq7-938w","Warn: Project is vulnerable to: PYSEC-2021-139 / GHSA-g6rj-rv7j-xwp4","Warn: Project is vulnerable to: PYSEC-2021-71 / GHSA-hf64-x4gq-p99h","Warn: Project is vulnerable to: PYSEC-2020-84 / GHSA-hj69-c76v-86wr","Warn: Project is vulnerable to: PYSEC-2021-94 / GHSA-hjfx-8p6c-g7gx","Warn: Project is vulnerable to: GHSA-j7hp-h8jx-5ppr","Warn: Project is vulnerable to: PYSEC-2019-110 / GHSA-j7mj-748x-7p78","Warn: Project is vulnerable to: GHSA-jgpv-4h4c-xhw3","Warn: Project is vulnerable to: PYSEC-2022-42979 / GHSA-m2vv-5vj5-2hm7","Warn: Project is vulnerable to: PYSEC-2021-37 / GHSA-mvg9-xffr-p774","Warn: Project is vulnerable to: PYSEC-2021-39 / GHSA-p43w-g3c5-g5mq","Warn: Project is vulnerable to: PYSEC-2020-83 / GHSA-p49h-hjvm-jg3h","Warn: Project is vulnerable to: PYSEC-2022-8 / GHSA-pw3c-h7wp-cvhx","Warn: Project is vulnerable to: PYSEC-2021-93 / GHSA-q5hq-fp76-qmrc","Warn: Project is vulnerable to: PYSEC-2020-82 / GHSA-r7rm-8j6h-r933","Warn: Project is vulnerable to: PYSEC-2021-138 / GHSA-rwv7-3v45-hg29","Warn: Project is vulnerable to: PYSEC-2020-81 / GHSA-vcqg-3p29-xw73","Warn: Project is vulnerable to: PYSEC-2020-79 / GHSA-vj42-xq3r-hr3r","Warn: Project is vulnerable to: PYSEC-2021-70 / GHSA-vqcj-wrf2-7v73","Warn: Project is vulnerable to: PYSEC-2022-9 / GHSA-xrcv-f9gm-v42c","Warn: Project is vulnerable to: PYSEC-2020-77","Warn: Project is vulnerable to: PYSEC-2020-78","Warn: Project is vulnerable to: PYSEC-2023-175","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: PYSEC-2020-107 / GHSA-jjw5-xxj6-pcv5","Warn: Project is vulnerable to: PYSEC-2024-110 / GHSA-jw8x-6495-233v","Warn: Project is vulnerable to: PYSEC-2020-108","Warn: Project is vulnerable to: PYSEC-2023-102","Warn: Project is vulnerable to: PYSEC-2023-114","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: PYSEC-2023-207 / GHSA-gwvm-45gx-3cf8","Warn: Project is vulnerable to: PYSEC-2019-133 / GHSA-mh33-7rrq-662w","Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24","Warn: Project is vulnerable to: PYSEC-2021-108","Warn: Project is vulnerable to: GO-2022-0646 / GHSA-7f33-f4f5-xwgw / GHSA-f5pg-7wfw-84q9","Warn: Project is vulnerable to: GHSA-3vp4-m3rf-835h","Warn: Project is vulnerable to: GO-2023-1737 / GHSA-2c4m-59x9-fr2g","Warn: Project is vulnerable to: GO-2022-0322 / GHSA-cg3q-j54f-5p7p","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2022-0391 / GHSA-6jvc-q2x7-pchv / GHSA-76wf-9vgp-pj7w","Warn: Project is vulnerable to: GO-2023-1901"],"reason":"89 existing vulnerabilities detected","name":"Vulnerabilities","documentation":{"url":"https://github.com/ossf/scorecard/blob/367426ed5d9cc62f4944dc4a2174f3bbb5e22169/docs/checks.md#vulnerabilities","short":"Determines if the project has open, known unfixed vulnerabilities."}}Bunknown
\ No newline at end of file
diff --git a/components/producers/ossf-scorecard/main.go b/components/producers/ossf-scorecard/main.go
index 74e091bc5..72a2b0e48 100644
--- a/components/producers/ossf-scorecard/main.go
+++ b/components/producers/ossf-scorecard/main.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"log/slog"
 
 	v1 "github.com/smithy-security/smithy/api/proto/v1"
 
@@ -36,19 +37,28 @@ func main() {
 }
 
 func parseIssues(out *ScorecardOut) []*v1.Issue {
+	slog.Info("read ", slog.Int("numChecks", len(out.Checks)))
 	issues := []*v1.Issue{}
 	repo := out.Repo.Name
 	commit := out.Repo.Commit
+
 	for _, r := range out.Checks {
-		desc, _ := json.Marshal(r)
+		desc := fmt.Sprintf("Overall Score: %.1f\nCheck Details:\n", out.Score)
+
+		for i, deet := range r.Details {
+			d := deet
+			if i != len(r.Details)-1 {
+				d += "\n"
+			}
+			desc += d
+		}
 		issues = append(issues, &v1.Issue{
 			Target:      fmt.Sprintf("%s:%s", repo, commit),
 			Type:        r.Name,
 			Title:       r.Reason,
 			Severity:    scorecardToSmithySeverity(r.Score),
-			Cvss:        0.0,
 			Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
-			Description: string(desc),
+			Description: desc,
 		})
 	}
 	return issues
@@ -72,36 +82,37 @@ func scorecardToSmithySeverity(score float64) v1.Severity {
 
 // ScorecardOut represents the output of a ScoreCard run.
 type ScorecardOut struct {
-	Date      string
-	Repo      RepoInfo
-	Scorecard ScorecardInfo
-	Score     float64
-	Checks    []Check `json:"checks"`
+	Date      string        `json:"date,omitempty"`
+	Repo      RepoInfo      `json:"repo,omitempty"`
+	Scorecard ScorecardInfo `json:"scorecard,omitempty"`
+	Score     float64       `json:"score,omitempty"`
+	Checks    []Check       `json:"checks,omitempty"`
+	Metadata  any           `json:"metadata,omitempty"`
 }
 
 // Check represents a ScoreCard Result.
 type Check struct {
-	Details       []string
-	Score         float64
-	Reason        string
-	Name          string
-	Documentation Docs
+	Details       []string `json:"details,omitempty"`
+	Score         float64  `json:"score,omitempty"`
+	Reason        string   `json:"reason,omitempty"`
+	Name          string   `json:"name,omitempty"`
+	Documentation Docs     `json:"documentation,omitempty"`
 }
 
 // Docs represents a ScoreCard "docs" section.
 type Docs struct {
-	URL   string
-	Short string
+	URL   string `json:"url,omitempty"`
+	Short string `json:"short,omitempty"`
 }
 
 // ScorecardInfo represents a "scorecardinfo" section.
 type ScorecardInfo struct {
-	Version string
-	Commit  string
+	Version string `json:"version,omitempty"`
+	Commit  string `json:"commit,omitempty"`
 }
 
 // RepoInfo represents a repository information section.
 type RepoInfo struct {
-	Name   string
-	Commit string
+	Name   string `json:"name,omitempty"`
+	Commit string `json:"commit,omitempty"`
 }
diff --git a/components/producers/ossf-scorecard/main_test.go b/components/producers/ossf-scorecard/main_test.go
index 0a52cc509..f1a2ef038 100644
--- a/components/producers/ossf-scorecard/main_test.go
+++ b/components/producers/ossf-scorecard/main_test.go
@@ -6,7 +6,6 @@ import (
 
 	v1 "github.com/smithy-security/smithy/api/proto/v1"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -53,8 +52,8 @@ func TestParseIssues(t *testing.T) {
 		Type:        "Branch-Protection",
 		Title:       "branch protection is not maximal on development and all release branches",
 		Severity:    v1.Severity_SEVERITY_MEDIUM,
-		Description: "{\"Details\":[\"Info: 'force pushes' disabled on branch 'main'\",\"Info: 'allow deletion' disabled on branch 'main'\",\"Warn: no status checks found to merge onto branch 'main'\",\"Info: number of required reviewers is 2 on branch 'main'\"],\"Score\":6,\"Reason\":\"branch protection is not maximal on development and all release branches\",\"Name\":\"Branch-Protection\",\"Documentation\":{\"URL\":\"https://github.com/ossf/scorecard/blob/23b0ddb8aa96356321cf31a2709723e29b15a951/docs/checks.md#branch-protection\",\"Short\":\"Determines if the default and release branches are protected with GitHub's branch protection settings.\"}}",
+		Description: "Overall Score: 4.0\nCheck Details:\nInfo: 'force pushes' disabled on branch 'main'\nInfo: 'allow deletion' disabled on branch 'main'\nWarn: no status checks found to merge onto branch 'main'\nInfo: number of required reviewers is 2 on branch 'main'",
 	}
 
-	assert.Equal(t, []*v1.Issue{expectedIssue}, issues)
+	require.Equal(t, []*v1.Issue{expectedIssue}, issues)
 }
diff --git a/components/producers/ossf-scorecard/task.yaml b/components/producers/ossf-scorecard/task.yaml
index 05b90664a..eeef6615e 100644
--- a/components/producers/ossf-scorecard/task.yaml
+++ b/components/producers/ossf-scorecard/task.yaml
@@ -24,16 +24,16 @@ spec:
       description: The workspace containing the source-code to scan.
   steps:
   - name: run-ossf-scorecard
-    image: '{{ default "ghcr.io/smithy-security/smithy" .Values.image.registry }}/components/producers/ossf-scorecard/scorecard-smithy:{{ .Chart.AppVersion }}'
+    image: 'gcr.io/openssf/scorecard:v5.0.0'
     env:
       - name: GITHUB_AUTH_TOKEN
         value: "$(params.producer-ossf-scorecard-github-auth-token)"
-    script: |
-      /scorecard \
-      --format=json \
-      --show-details \
-      --repo=$(params.producer-ossf-scorecard-input-repo) >/scratch/out.json
-       # TODO(spyros): add flags here once scorecard can write results to file
+    command: ["/scorecard"]
+    args:
+      - --format=json
+      - --show-details
+      - --output=/scratch/out.json
+      - --repo=$(params.producer-ossf-scorecard-input-repo)
     volumeMounts:
     - mountPath: /scratch
       name: scratch
diff --git a/examples/pipelines/scorecard-project/kustomization.yaml b/examples/pipelines/scorecard-project/kustomization.yaml
new file mode 100644
index 000000000..2eec09d58
--- /dev/null
+++ b/examples/pipelines/scorecard-project/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+nameSuffix: -scorecard-project
+components:
+  - pkg:helm/smithy-security-oss-components/base
+  - pkg:helm/smithy-security-oss-components/producer-ossf-scorecard
+  - pkg:helm/smithy-security-oss-components/producer-aggregator
+  - pkg:helm/smithy-security-oss-components/enricher-custom-annotation
+  - pkg:helm/smithy-security-oss-components/enricher-aggregator
+  - pkg:helm/smithy-security-oss-components/consumer-stdout-json
diff --git a/examples/pipelines/scorecard-project/pipelinerun.yaml b/examples/pipelines/scorecard-project/pipelinerun.yaml
new file mode 100644
index 000000000..5a80477bf
--- /dev/null
+++ b/examples/pipelines/scorecard-project/pipelinerun.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: smithy-scorecard-project-
+spec:
+  pipelineRef:
+    name: smithy-scorecard-project
+  params:
+  - name: producer-ossf-scorecard-input-repo
+    value: https://github.com/smithy-security/smithy
+  - name: producer-ossf-scorecard-github-auth-token
+    value: $github-auth-token-permissions-to-read-repos
+  - name: enricher-custom-annotation-base-annotation
+    value: '{"foo":"bar","a":"b","1":"2"}'
+  workspaces:
+  - name: output
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi