| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | Doc |
| P0 | softwareDesignTraining | Training on secure software design | Doc |
| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | Doc |
| P1 | orgToolingMFA | Enforce MFA in all the tools | Doc |
| P1 | MFAImpersonationDefense | Use MFA against impersonation | Doc |
| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | Doc |
| P2 | noSensitiveInfoInRepositories | Check sensitive information | Doc |
| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | Doc |
| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | Doc |
| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | Doc |
| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | Doc |
| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | Doc |
| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | Doc |
| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | Doc |
| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | Doc |
| P6 | automateVulnDetection | Automate dependency vulnerability identification | Doc |
| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | Doc |
| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | Doc |
| P7 | incidentResponsePlan | Define clear communication and incident response plans | Doc |
| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | Doc |
| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | Doc |
| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | Doc |
| P9 | noForcePushDefaultBranch | Disable force push on default branch | Doc |
| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | Doc |
| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | Doc |
| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | Doc |
| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | Doc |
| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | Doc |
| P14 | machineReadableDependencies | Provide machine-readable dependency lists | Doc |
| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | Doc |
| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | Doc |
| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | Doc |
| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | Doc |
| R2 | forkWorkflowApproval | Require approval for forked workflow changes | Doc |
| R2 | workflowSecurityScanner | Use workflow security scanners | Doc |
| R2 | runnerSecurityScanner | Use GitHub runner security scanners | Doc |
| R4 | PRsBeforeMerge | Require pull requests before merging | Doc |
| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | Doc |
| R4 | requireSignedCommits | Require signed commits | Doc |
| R5 | includePackageLock | Include package-lock.json in releases | Doc |
| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | Doc |
| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | Doc |