| 7. Code Quality | At least One Primary Maintainer has taken TBD Training on Secure Software Design | 0 | details |
| 7. Code Quality | At least One Primary Maintainer has taken TBD Training on OWASP Top 10 or Equivalent | 0 | details |
| 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | 1 | details |
| 1. User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | 1 | details |
| 1. User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | 1 | details |
| 1. User Authentication | Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available | 1 | details |
| 3. Service Authentication | No Secrets and Credentials in Source Code | 2 | details |
| 3. Service Authentication | Secrets are injected at runtime, such as environment variables or as a file (eg: use Github Secrets) | 2 | details |
| 1. User Authentication | Use SSH keys for developer access to source code repositories and use a passphrase | 3 | details |
| 3. Service Authentication | Publish to npm using an MFA-enabled account rather than single factor legacy or granular access tokens | 3 | details |
| 3. Service Authentication | Github Webhooks Use Secrets | 3 | details |
| 2. User Account Permissions | Default Github Org Member Permissions Should Be Restricted | 4 | details |
| 2. User Account Permissions | Only Admins Should Be Able To Create Public Repositories | 4 | details |
| 2. User Account Permissions | [For Projects with Two or more Admins] Do not allow Admins to Bypass Branch Protection Settings | 4 | details |
| 2. User Account Permissions | Define roles aligned to functional responsibilities | 4 | details |
| 2. User Account Permissions | Define Individuals/Teams who Write Access to a Github Repo | 4 | details |
| 2. User Account Permissions | [For Projects with Two or more Owners] Have at least Two Owners Configured for Access Continuity | 4 | details |
| 11. Dependency Management | An automated process to identify dependencies with publicly disclosed vulnerabilities | 6 | details |
| 7. Code Quality | Security.md Meets OpenJS CVD Guidelines | 7 | details |
| 6. Coordinated Vulnerability Disclosure | Project Leverages a CVD Tool to Privately Receive/Manage External Vulnerability Reports (eg: H1/GH PVR) | 7 | details |
| 6. Coordinated Vulnerability Disclosure | Establish a Clear Communication and Incident Response Plan | 7 | details |
| 6. Coordinated Vulnerability Disclosure | All Known Security Vulnerabilities are Issued a CVE | 7 | details |
| 6. Coordinated Vulnerability Disclosure | Release Notes must Include the CVE ID of Patched Security Vulnerabilities | 7 | details |
| 4. Github Workflow Permissions | Workflows are not Allowed To Create or Approve Pull Requests | 9 | details |
| 9. Source Control | Prevent Force Push on Default Branch | 9 | details |
| 9. Source Control | Prevent Default Branch Deletion | 9 | details |
| 9. Source Control | Default Branch must be Up to Date before Merging | 9 | details |
| 4. Github Workflows | Disable use of Self-Hosted Runners in Github Org | 10 | details |
| 4. Github Workflows | Only Allow Workflows Write Permissions at the Job-Level | 11 | details |
| 10. Dependency Inventory | Automated Process is Used to Monitor for and Maintain a List of Out of Date Dependencies | 14 | details |
| 10. Dependency Inventory | [Freestanding Applications Only] A Machine Readable List of all Direct and Transitive Dependencies is Available for the Software | 14 | details |
| 10. Dependency Inventory | Modified dependencies are uniquely identified and distinct from origin dependency | 14 | details |