| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | Doc |
| P0 | softwareDesignTraining | Training on secure software design | Doc |
| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | Doc |
| P1 | orgToolingMFA | Enforce MFA in all the tools | Doc |
| P1 | MFAImpersonationDefense | Use MFA against impersonation | Doc |
| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | Doc |
| P2 | noSensitiveInfoInRepositories | Check sensitive information | Doc |
| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | Doc |
| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | Doc |
| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | Doc |
| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | Doc |
| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | Doc |
| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | Doc |
| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | Doc |
| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | Doc |
| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | Doc |
| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | Doc |
| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | Doc |
| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | Doc |
| P6 | automateVulnDetection | Automate dependency vulnerability identification | Doc |
| P6 | staticCodeAnalysis | Use automated static code analysis tools | Doc |
| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | Doc |
| P6 | staticAppSecTesting | Use static application security testing for all commits | Doc |
| P6 | commitStatusChecks | Require commit status checks to pass before merging | Doc |
| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | Doc |
| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | Doc |
| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | Doc |
| P7 | incidentResponsePlan | Define clear communication and incident response plans | Doc |
| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | Doc |
| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | Doc |
| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | Doc |
| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | Doc |
| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | Doc |
| P9 | noForcePushDefaultBranch | Disable force push on default branch | Doc |
| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | Doc |
| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | Doc |
| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | Doc |
| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | Doc |
| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | Doc |
| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | Doc |
| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | Doc |
| P11 | preventScriptInjection | Avoid script injection from untrusted variables | Doc |
| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | Doc |
| P12 | upgradePathDocs | Support older versions or provide upgrade paths | Doc |
| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | Doc |
| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | Doc |
| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | Doc |
| P14 | machineReadableDependencies | Provide machine-readable dependency lists | Doc |
| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | Doc |
| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | Doc |
| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | Doc |
| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | Doc |
| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | Doc |
| R2 | forkWorkflowApproval | Require approval for forked workflow changes | Doc |
| R2 | workflowSecurityScanner | Use workflow security scanners | Doc |
| R2 | runnerSecurityScanner | Use GitHub runner security scanners | Doc |
| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | Doc |
| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | Doc |
| R4 | PRsBeforeMerge | Require pull requests before merging | Doc |
| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | Doc |
| R4 | requireSignedCommits | Require signed commits | Doc |
| R5 | includePackageLock | Include package-lock.json in releases | Doc |
| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | Doc |
| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | Doc |
| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | Doc |
| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | Doc |
| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | Doc |