diff --git a/.github/scorecard.yml b/.github/scorecard.yml
new file mode 100644
index 000000000000..e461abd489a6
--- /dev/null
+++ b/.github/scorecard.yml
@@ -0,0 +1,8 @@
+# annotations tell scorecard that we have mitigated a concern. automation is only so good at establishing context
+# https://github.com/ossf/scorecard/blob/main/config/README.md#annotating-your-project
+annotations:
+  # our workflows only run when a maintainer allows it
+  - checks:
+      - dangerous-workflow
+    reasons:
+      - reason: remediated