diff --git a/docs/projects/visionBoard/checklists.md b/docs/projects/visionBoard/checklists.md
new file mode 100644
index 0000000..facd240
--- /dev/null
+++ b/docs/projects/visionBoard/checklists.md
@@ -0,0 +1,445 @@
+---
+sidebar_position: 3
+title: Checklists
+slug: /visionBoard/checklists
+---
+
+
+# VisionBoard Checklists
+
+VisionBoard helps you navigate complex security and compliance requirements by offering customizable and comprehensive checklists. These checklists group related checks to streamline adherence to specific standards, such as the OpenJS Foundation's Security Compliance Guide (SCG). They also allow you to tailor priority levels and requirements to meet the unique needs of your projects.
+
+By using checklists, you can:
+- **Simplify Compliance**: Automatically align your projects with industry standards like OpenJS SCG v1.0.
+- **Customize Priorities**: Overwrite the severity or priority of checks based on your organizational needs.
+- **Ensure Consistency**: Standardize security and operational processes across all your repositories.
+
+Most organizations find it beneficial to subscribe to these checklists, as they offer ready-to-use configurations tailored for different project lifecycles, such as incubating, active, or retiring projects.
+
+---
+<!-- LIST:START -->
+## Official Checklists
+
+Here you can find the official checklists for the Vision Board project:
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Incubating](/docs/visionBoard/checklists#openjs-scgv10-incubating)
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Active](/docs/visionBoard/checklists#openjs-scgv10-active)
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Retiring](/docs/visionBoard/checklists#openjs-scgv10-retiring)
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Solo Maintainers incubating](/docs/visionBoard/checklists#openjs-scgv10-solo-incubating)
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Solo Maintainers Active](/docs/visionBoard/checklists#openjs-scgv10-solo-active)
+- [OpenJS Foundation: Security Compliance Guide v1.0 - Solo Maintainers Retiring](/docs/visionBoard/checklists#openjs-scgv10-solo-retiring)
+
+### OpenJS-SCGv1.0-incubating
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Incubating
+- **Description**: This checklist is for projects that are in the incubating phase and have multiple maintainers.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
+### OpenJS-SCGv1.0-active
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Active
+- **Description**: This checklist is for projects that are in the active phase and have multiple maintainers.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
+### OpenJS-SCGv1.0-retiring
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Retiring
+- **Description**: This checklist is for projects that are in the retiring phase and have multiple maintainers.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+    
+### OpenJS-SCGv1.0-solo-incubating
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers incubating
+- **Description**: This checklist is for projects that are in the incubating phase and have a solo maintainer.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
+### OpenJS-SCGv1.0-solo-active
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers Active
+- **Description**: This checklist is for projects that are in the active phase and have a solo maintainer.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
+### OpenJS-SCGv1.0-solo-retiring
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers Retiring
+- **Description**: This checklist is for projects that are in the retiring phase and have a solo maintainer.
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+    
+
+<!-- LIST:END -->
\ No newline at end of file
diff --git a/scripts/populate-checklists.js b/scripts/populate-checklists.js
index a2650ef..7c52371 100644
--- a/scripts/populate-checklists.js
+++ b/scripts/populate-checklists.js
@@ -1 +1,57 @@
-console.log('Not yet implemented. Skipping...');
\ No newline at end of file
+const { writeFileSync, existsSync, readFileSync } = require('fs')
+const { updateOrCreateSegment } = require('@ulisesgascon/text-tags-manager')
+const path = require('path')
+
+const checklists = require('../data/checklists.json')
+
+const listStartTag = '<!-- LIST:START -->'
+const listEndTag = '<!-- LIST:END -->'
+
+const sortByPriority = (a, b) => {
+    const [aLetter, aNumber] = a.priority_group.match(/[A-Z]+|\d+/g);
+    const [bLetter, bNumber] = b.priority_group.match(/[A-Z]+|\d+/g);
+    return aLetter.localeCompare(bLetter) || aNumber - bNumber;
+}
+
+const slugify = (text) => {
+    //remove dots and convert to lowercase
+    return text.replace(/\./g, '').toLowerCase()
+}
+
+const intro = checklists.map(checklist => {
+    return `- [${checklist.author}: ${checklist.title}](/docs/visionBoard/checklists#${slugify(checklist.code_name)})`
+}).join('\n')
+
+checklistsListContent = `## Official Checklists
+
+Here you can find the official checklists for the Vision Board project:
+${intro}
+
+${checklists.map(checklist => {
+return `### ${checklist.code_name}
+- **Author**: ${checklist.author}
+- **Title**: ${checklist.title}
+- **Description**: ${checklist.description}
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+${checklist.checks
+    .sort(sortByPriority)
+    .map(check => {
+        return `| ${check.priority_group} | ${check.code_name} | ${check.title} | [Doc](/docs/checks/${check.code_name}) |`.trim()
+    }).join('\n')}
+    `
+}).join('\n')}
+`
+
+const checklistsListsDestination = path.join(process.cwd(), 'docs/projects/visionBoard/checklists.md')
+checklistsListFileContent = readFileSync(checklistsListsDestination, 'utf8')
+
+checklistsListFileContent = updateOrCreateSegment({
+    original: checklistsListFileContent,
+    replacementSegment: checklistsListContent,
+    startTag: listStartTag,
+    endTag: listEndTag
+})
+
+writeFileSync(checklistsListsDestination, checklistsListFileContent)