diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml
new file mode 100644
index 0000000..7cdf2bb
--- /dev/null
+++ b/.github/workflows/ossf-scorecard.yaml
@@ -0,0 +1,35 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    branches:
+    - main
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+    - name: "Checkout code"
+      uses: actions/checkout@v4
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@v2
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+
+    - name: "Upload SARIF results to code scanning"
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif
diff --git a/README.md b/README.md
index 8733afc..57a6a50 100644
--- a/README.md
+++ b/README.md
@@ -13,35 +13,39 @@ It adds basic PR building, dependabot integration, testing, coverage etc.
    ```bash
    git clone git@github.com:smlx/go-cli-github.git $PROJECT_DIR && rm -rf ./$PROJECT_DIR/.git
    ```
-2. Update the `release` workflow branch from `main` to `foo` to disable it, commit all the files, and push to `main` on a new repo.
-2. Update for your project, send a PR and merge it once green:
-   * rename `deploy/go-cli-github` to `deploy/$YOUR_COMMAND`
-   * update `deploy/$YOUR_COMMAND/Dockerfile`
-   * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`
-   * update `.goreleaser.yml` to build `cmd/$YOUR_COMMAND`
-   * update the links at the top of the README
-   * update the `build`, `release`, and `tag-to-release` workflows, replacing `go-cli-github` with `$YOUR_COMMAND`.
-   * update module in `go.mod` and in `cmd/$YOUR_COMMAND/*.go`, `internal/server/serve_test.go`
-3. Go to repository Settings > General:
-   * Disable wiki and projects
-   * Allow only merge commits for Pull Requests
-   * Allow auto-merge
-   * Automatically delete head branches
-4. Go to repository Settings > Branches and add branch protection to `main`, and enable:
-   * Require a PR before merging
-     * Dismiss stale pull request approvals
-   * Require status checks to pass before merging
-     * Require branches to be up-to-date before merging.
-     * Required status checks:
-       * CodeQL
-       * build
-       * buildimage
-       * commitlint
-       * go-test
-       * lint
-   * Include administrators
-5. Go to repository Settings > Code security and analysis, and enable:
-   * Dependabot alerts
-   * Dependabot security updates
-6. When ready to release, rename the target branch in the release workflow from `foo` to `main`, and send a PR.
-7. That's it.
+1. Update the `release` workflow branch from `main` to `foo` to disable it, commit all the files, and push to `main` on a new repo.
+1. Update for your project, send a PR and merge it once green:
+    * rename `deploy/go-cli-github` to `deploy/$YOUR_COMMAND`
+    * update `deploy/$YOUR_COMMAND/Dockerfile`
+    * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`
+    * update `.goreleaser.yml` to build `cmd/$YOUR_COMMAND`
+    * update the links at the top of the README
+    * update the `build`, `release`, and `tag-to-release` workflows, replacing `go-cli-github` with `$YOUR_COMMAND`
+    * update module in `go.mod` and in `cmd/$YOUR_COMMAND/*.go`, `internal/server/serve_test.go`
+1. Go to repository Settings > General:
+    * Disable wiki and projects
+    * Allow only merge commits for Pull Requests
+    * Allow auto-merge
+    * Automatically delete head branches
+1. Go to repository Settings > Branches and add branch protection to `main`, and enable:
+    * Require a PR before merging
+        * Dismiss stale pull request approvals
+    * Require status checks to pass before merging
+        * Require branches to be up-to-date before merging.
+        * Required status checks:
+            * CodeQL
+            * build
+            * buildimage
+            * commitlint
+            * go-test
+            * lint
+    * Include administrators
+1. Go to repository Settings > Code security and analysis, and enable:
+    * Dependabot alerts
+    * Dependabot security updates
+    * Secret scanning
+        * Push protection
+1. Go to repository Settings > Actions > General:
+    * Set Workflow permissions to "Read repository contents and package permissions"
+1. When ready to release, rename the target branch in the release workflow from `foo` to `main`, and send a PR.
+1. That's it.
diff --git a/go.mod b/go.mod
index 03247dc..c90281c 100644
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,5 @@
 module github.com/smlx/go-cli-github
 
-go 1.19
+go 1.21
 
 require github.com/alecthomas/kong v0.8.1
diff --git a/go.sum b/go.sum
index 14b62cf..021aabe 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,8 @@
 github.com/alecthomas/assert/v2 v2.1.0 h1:tbredtNcQnoSd3QBhQWI7QZ3XHOVkw1Moklp2ojoH/0=
+github.com/alecthomas/assert/v2 v2.1.0/go.mod h1:b/+1DI2Q6NckYi+3mXyH3wFb8qG37K/DuK80n7WefXA=
 github.com/alecthomas/kong v0.8.1 h1:acZdn3m4lLRobeh3Zi2S2EpnXTd1mOL6U7xVml+vfkY=
 github.com/alecthomas/kong v0.8.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U=
 github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
+github.com/alecthomas/repr v0.1.0/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=