diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
new file mode 100644
index 00000000000..b716b69a206
--- /dev/null
+++ b/.github/workflows/openssf-scorecard.yml
@@ -0,0 +1,32 @@
+name: OpenSSF Scorecard update
+on:
+  # XXX: Drop PR builds after testing.
+  pull_request:
+  push:
+    branches: [ master ]
+  schedule:
+    - cron: '0 4 * * 1'
+permissions:
+  contents: read
+  id-token: write
+  security-events: write
+jobs:
+  analyze:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3.1.0
+        # XXX: Also apply elsewhere?
+        with:
+          persist-credentials: false
+      - name: Run OpenSSF Scorecard analysis
+        uses: ossf/scorecard-action@v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: Update GitHub's code scanning dashboard
+        uses: github/codeql-action/upload-sarif@v2.2.11
+        with:
+          sarif_file: results.sarif
+