Is your feature request related to a problem? Please describe.
The current GUAC scorecard certifier only supports computing of OpenSSF, which hits GitHub API rate limits when processing large databases. Additionally, local execution requires GitHub tokens (which often hits rate limits), and significant compute resources, making it unsuitable for scalable GUAC operations.

Describe the solution you'd like
Add an API-based scorecard fetcher using the OpenSSF Scorecard REST API to bypass GitHub rate limits. Users can choose between "query" (default) and "compute" modes of scorecard via CLI flags. The query mode of scorecard requires no GitHub tokens, fetches pre-computed results from https://api.securityscorecards.dev, and includes configurable timeouts/endpoints. Maintains full backward compatibility with existing compute mode of scorecard.