diff --git a/docs/checklists/OpenJS-SCGv1.0-active.md b/docs/checklists/OpenJS-SCGv1.0-active.md
new file mode 100644
index 00000000..7a44bc4a
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-active.md
@@ -0,0 +1,81 @@
+## OpenJS-SCGv1.0-active Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Active
+- **Description**: This checklist is for projects that are in the active phase and have multiple maintainers.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
\ No newline at end of file
diff --git a/docs/checklists/OpenJS-SCGv1.0-incubating.md b/docs/checklists/OpenJS-SCGv1.0-incubating.md
new file mode 100644
index 00000000..92c9f9fe
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-incubating.md
@@ -0,0 +1,81 @@
+## OpenJS-SCGv1.0-incubating Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Incubating
+- **Description**: This checklist is for projects that are in the incubating phase and have multiple maintainers.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
\ No newline at end of file
diff --git a/docs/checklists/OpenJS-SCGv1.0-retiring.md b/docs/checklists/OpenJS-SCGv1.0-retiring.md
new file mode 100644
index 00000000..93f6f2a5
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-retiring.md
@@ -0,0 +1,54 @@
+## OpenJS-SCGv1.0-retiring Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Retiring
+- **Description**: This checklist is for projects that are in the retiring phase and have multiple maintainers.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+    
\ No newline at end of file
diff --git a/docs/checklists/OpenJS-SCGv1.0-solo-active.md b/docs/checklists/OpenJS-SCGv1.0-solo-active.md
new file mode 100644
index 00000000..c339def6
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-solo-active.md
@@ -0,0 +1,76 @@
+## OpenJS-SCGv1.0-solo-active Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers Active
+- **Description**: This checklist is for projects that are in the active phase and have a solo maintainer.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
\ No newline at end of file
diff --git a/docs/checklists/OpenJS-SCGv1.0-solo-incubating.md b/docs/checklists/OpenJS-SCGv1.0-solo-incubating.md
new file mode 100644
index 00000000..e31fe89b
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-solo-incubating.md
@@ -0,0 +1,76 @@
+## OpenJS-SCGv1.0-solo-incubating Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers incubating
+- **Description**: This checklist is for projects that are in the incubating phase and have a solo maintainer.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
+| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
+| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
+| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
+| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
+| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
+| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
+| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
+| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
+| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
+| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
+| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
+| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
+| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
+    
\ No newline at end of file
diff --git a/docs/checklists/OpenJS-SCGv1.0-solo-retiring.md b/docs/checklists/OpenJS-SCGv1.0-solo-retiring.md
new file mode 100644
index 00000000..58238adc
--- /dev/null
+++ b/docs/checklists/OpenJS-SCGv1.0-solo-retiring.md
@@ -0,0 +1,51 @@
+## OpenJS-SCGv1.0-solo-retiring Checklist
+- **Author**: OpenJS Foundation
+- **Title**: Security Compliance Guide v1.0 - Solo Maintainers Retiring
+- **Description**: This checklist is for projects that are in the retiring phase and have a solo maintainer.
+
+
+| Priority | Check | details | Info |
+| --- | --- | --- | --- |
+| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
+| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
+| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
+| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
+| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
+| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
+| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
+| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
+| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
+| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
+| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
+| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
+| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
+| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
+| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
+| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
+| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
+| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
+| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
+| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
+| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
+| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
+| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
+| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
+| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
+| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
+| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
+| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
+| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
+| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
+| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
+| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
+| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
+| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
+| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
+| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
+| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
+| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
+| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
+| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
+| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
+| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
+    
\ No newline at end of file
diff --git a/docs/checklists/_category_.json b/docs/checklists/_category_.json
new file mode 100644
index 00000000..9eb1bef7
--- /dev/null
+++ b/docs/checklists/_category_.json
@@ -0,0 +1,4 @@
+{
+    "label": "Checklists",
+    "position": 5
+  }
\ No newline at end of file
diff --git a/docs/projects/visionBoard/checklists.md b/docs/projects/visionBoard/checklists.md
index bfdc585a..07be6979 100644
--- a/docs/projects/visionBoard/checklists.md
+++ b/docs/projects/visionBoard/checklists.md
@@ -32,414 +32,31 @@ Here you can find the official checklists for the Vision Board project:
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Incubating
 - **Description**: This checklist is for projects that are in the incubating phase and have multiple maintainers.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
-| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
-| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
-| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
-| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
-| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
-| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
-| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
-| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
-| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
-| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
-| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
-| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
-| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
-| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
-| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
-| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
-| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
-    
+- **Details**: [OpenJS-SCGv1.0-incubating](/docs/checklists/OpenJS-SCGv1.0-incubating)
 ### OpenJS-SCGv1.0-active
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Active
 - **Description**: This checklist is for projects that are in the active phase and have multiple maintainers.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
-| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
-| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
-| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
-| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
-| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
-| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
-| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
-| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
-| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
-| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
-| P12 | softwareArchitectureDocs | Document software architecture | [Doc](/docs/checks/softwareArchitectureDocs) |
-| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
-| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
-| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
-| R6 | requireTwoPartyReview | Require two-party review | [Doc](/docs/checks/requireTwoPartyReview) |
-| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
-| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
-    
+- **Details**: [OpenJS-SCGv1.0-active](/docs/checklists/OpenJS-SCGv1.0-active)
 ### OpenJS-SCGv1.0-retiring
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Retiring
 - **Description**: This checklist is for projects that are in the retiring phase and have multiple maintainers.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | preventBranchProtectionBypass | Prevent admins from bypassing branch protection | [Doc](/docs/checks/preventBranchProtectionBypass) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P4 | twoOrMoreOwnersForAccess | Configure two or more owners for access continuity | [Doc](/docs/checks/twoOrMoreOwnersForAccess) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R6 | requirePRApprovalForMainline | Require approved PRs for mainline commits | [Doc](/docs/checks/requirePRApprovalForMainline) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-    
+- **Details**: [OpenJS-SCGv1.0-retiring](/docs/checklists/OpenJS-SCGv1.0-retiring)
 ### OpenJS-SCGv1.0-solo-incubating
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Solo Maintainers incubating
 - **Description**: This checklist is for projects that are in the incubating phase and have a solo maintainer.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
-| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
-| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
-| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
-| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
-| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
-| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
-| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
-| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
-| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
-| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
-| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
-| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
-| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
-    
+- **Details**: [OpenJS-SCGv1.0-solo-incubating](/docs/checklists/OpenJS-SCGv1.0-solo-incubating)
 ### OpenJS-SCGv1.0-solo-active
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Solo Maintainers Active
 - **Description**: This checklist is for projects that are in the active phase and have a solo maintainer.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P2 | scanCommitsForSensitiveInfo | Ensure that all the commits are scanned | [Doc](/docs/checks/scanCommitsForSensitiveInfo) |
-| P2 | preventLandingSensitiveCommits | Block new commits with secrets or credentials | [Doc](/docs/checks/preventLandingSensitiveCommits) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P5 | patchCriticalVulns30Days | Patch actively exploited critical vulnerabilities within 30 Days | [Doc](/docs/checks/patchCriticalVulns30Days) |
-| P5 | patchNonCriticalVulns90Days | Patch non-critical vulnerabilities within 90 days | [Doc](/docs/checks/patchNonCriticalVulns90Days) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P6 | staticCodeAnalysis | Use automated static code analysis tools | [Doc](/docs/checks/staticCodeAnalysis) |
-| P6 | resolveLinterWarnings | Address compiler and linter warnings before merging | [Doc](/docs/checks/resolveLinterWarnings) |
-| P6 | staticAppSecTesting | Use static application security testing for all commits | [Doc](/docs/checks/staticAppSecTesting) |
-| P6 | commitStatusChecks | Require commit status checks to pass before merging | [Doc](/docs/checks/commitStatusChecks) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | vulnResponse14Days | Respond to external vulnerability reports in under 14 days | [Doc](/docs/checks/vulnResponse14Days) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P8 | regressionTestsForVulns | Create regression tests for bugs and security vulnerabilities | [Doc](/docs/checks/regressionTestsForVulns) |
-| P9 | defaultTokenPermissionsReadOnly | Set default GitHub workflow token permissions to read-only | [Doc](/docs/checks/defaultTokenPermissionsReadOnly) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | restrictOrgSecrets | Restrict GitHub organization secrets to specific repositories | [Doc](/docs/checks/restrictOrgSecrets) |
-| P10 | verifiedActionsOnly | Limit GitHub Actions to verified or trusted actions | [Doc](/docs/checks/verifiedActionsOnly) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | noArbitraryCodeInPipeline | Restrict build pipeline code execution to build scripts | [Doc](/docs/checks/noArbitraryCodeInPipeline) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P11 | preventScriptInjection | Avoid script injection from untrusted variables | [Doc](/docs/checks/preventScriptInjection) |
-| P12 | consistentBuildProcessDocs | Document consistent and automated build processes | [Doc](/docs/checks/consistentBuildProcessDocs) |
-| P12 | upgradePathDocs | Support older versions or provide upgrade paths | [Doc](/docs/checks/upgradePathDocs) |
-| P12 | ciAndCdPipelineAsCode | Automate CI/CD steps in code-based pipelines | [Doc](/docs/checks/ciAndCdPipelineAsCode) |
-| P13 | pinActionsToSHA | Pin actions with secrets to full-length commit SHAs | [Doc](/docs/checks/pinActionsToSHA) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| P14 | annualDependencyRefresh | Refresh dependencies with annual releases | [Doc](/docs/checks/annualDependencyRefresh) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R3 | activeAdminsSixMonths | Require active admins in GitHub organization (activity in 6 months) | [Doc](/docs/checks/activeAdminsSixMonths) |
-| R3 | activeWritersSixMonths | Require active members with write access (activity in 6 months) | [Doc](/docs/checks/activeWritersSixMonths) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R6 | requireCodeOwnersReviewForLargeTeams | Require code owners review | [Doc](/docs/checks/requireCodeOwnersReviewForLargeTeams) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-| R8 | patchExploitableHighVulns14Days | Patch critical/high vulnerabilities in 14 Days | [Doc](/docs/checks/patchExploitableHighVulns14Days) |
-| R8 | patchExploitableNoncCriticalVulns60Days | Patch non-critical vulnerabilities in 60 Days | [Doc](/docs/checks/patchExploitableNoncCriticalVulns60Days) |
-    
+- **Details**: [OpenJS-SCGv1.0-solo-active](/docs/checklists/OpenJS-SCGv1.0-solo-active)
 ### OpenJS-SCGv1.0-solo-retiring
 - **Author**: OpenJS Foundation
 - **Title**: Security Compliance Guide v1.0 - Solo Maintainers Retiring
 - **Description**: This checklist is for projects that are in the retiring phase and have a solo maintainer.
-
-| Priority | Check | details | Info |
-| --- | --- | --- | --- |
-| P0 | owaspTop10Training | Training on OWASP Top 10 or equivalent | [Doc](/docs/checks/owaspTop10Training) |
-| P0 | softwareDesignTraining | Training on secure software design | [Doc](/docs/checks/softwareDesignTraining) |
-| P1 | npmOrgMFA | Enforce MFA in npm organization(s) | [Doc](/docs/checks/npmOrgMFA) |
-| P1 | orgToolingMFA | Enforce MFA in all the tools | [Doc](/docs/checks/orgToolingMFA) |
-| P1 | MFAImpersonationDefense | Use MFA against impersonation | [Doc](/docs/checks/MFAImpersonationDefense) |
-| P1 | githubOrgMFA | Enforce MFA in GitHub organization(s) | [Doc](/docs/checks/githubOrgMFA) |
-| P2 | noSensitiveInfoInRepositories | Check sensitive information | [Doc](/docs/checks/noSensitiveInfoInRepositories) |
-| P2 | injectedSecretsAtRuntime | Ensure that the secrets are injected at runtime | [Doc](/docs/checks/injectedSecretsAtRuntime) |
-| P3 | SSHKeysRequired | Use SSH keys with passphrases for repository access | [Doc](/docs/checks/SSHKeysRequired) |
-| P3 | npmPublicationMFA | Publish to npm using MFA-Enabled accounts | [Doc](/docs/checks/npmPublicationMFA) |
-| P3 | githubWebhookSecrets | Secure GitHub Webhooks with secrets | [Doc](/docs/checks/githubWebhookSecrets) |
-| P4 | restrictedOrgPermissions | Restrict default GitHub Org member permissions | [Doc](/docs/checks/restrictedOrgPermissions) |
-| P4 | adminRepoCreationOnly | Allow only admins to create public repositories | [Doc](/docs/checks/adminRepoCreationOnly) |
-| P4 | defineFunctionalRoles | Define roles aligned to functional responsibilities | [Doc](/docs/checks/defineFunctionalRoles) |
-| P4 | githubWriteAccessRoles | Define teams/individuals with write access to repositories | [Doc](/docs/checks/githubWriteAccessRoles) |
-| P6 | automateVulnDetection | Automate dependency vulnerability identification | [Doc](/docs/checks/automateVulnDetection) |
-| P7 | securityMdMeetsOpenJSCVD | Ensure Security.md meets OpenJS CVD guidelines | [Doc](/docs/checks/securityMdMeetsOpenJSCVD) |
-| P7 | useCVDToolForVulns | Use CVD tools to manage vulnerability reports | [Doc](/docs/checks/useCVDToolForVulns) |
-| P7 | incidentResponsePlan | Define clear communication and incident response plans | [Doc](/docs/checks/incidentResponsePlan) |
-| P7 | assignCVEForKnownVulns | Assign CVEs to all known security vulnerabilities | [Doc](/docs/checks/assignCVEForKnownVulns) |
-| P7 | includeCVEInReleaseNotes | Include CVE IDs in release notes for security fixes | [Doc](/docs/checks/includeCVEInReleaseNotes) |
-| P9 | blockWorkflowPRApproval | Prevent workflows from creating or approving PRs | [Doc](/docs/checks/blockWorkflowPRApproval) |
-| P9 | noForcePushDefaultBranch | Disable force push on default branch | [Doc](/docs/checks/noForcePushDefaultBranch) |
-| P9 | preventDeletionDefaultBranch | Prevent deletion of default branch | [Doc](/docs/checks/preventDeletionDefaultBranch) |
-| P9 | upToDateDefaultBranchBeforeMerge | Require default branch updates before merging | [Doc](/docs/checks/upToDateDefaultBranchBeforeMerge) |
-| P10 | noSelfHostedRunners | Disable self-hosted runners in GitHub organization | [Doc](/docs/checks/noSelfHostedRunners) |
-| P11 | limitWorkflowWritePermissions | Limit workflow write permissions to job level | [Doc](/docs/checks/limitWorkflowWritePermissions) |
-| P14 | automateDependencyManagement | Automate monitoring of outdated dependencies | [Doc](/docs/checks/automateDependencyManagement) |
-| P14 | machineReadableDependencies | Provide machine-readable dependency lists | [Doc](/docs/checks/machineReadableDependencies) |
-| P14 | identifyModifiedDependencies | Uniquely identify modified dependencies | [Doc](/docs/checks/identifyModifiedDependencies) |
-| R1 | useHwKeyGithubAccess | Use AAL2/3 passkeys for GitHub access | [Doc](/docs/checks/useHwKeyGithubAccess) |
-| R1 | useHwKeyGithubNonInteractive | Use AAL2/3 passkeys for non-interactive GitHub access | [Doc](/docs/checks/useHwKeyGithubNonInteractive) |
-| R1 | useHwKeyOtherContexts | Use AAL2/3 passkeys in all other contexts | [Doc](/docs/checks/useHwKeyOtherContexts) |
-| R2 | forkWorkflowApproval | Require approval for forked workflow changes | [Doc](/docs/checks/forkWorkflowApproval) |
-| R2 | workflowSecurityScanner | Use workflow security scanners | [Doc](/docs/checks/workflowSecurityScanner) |
-| R2 | runnerSecurityScanner | Use GitHub runner security scanners | [Doc](/docs/checks/runnerSecurityScanner) |
-| R4 | PRsBeforeMerge | Require pull requests before merging | [Doc](/docs/checks/PRsBeforeMerge) |
-| R4 | commitSignoffForWeb | Enforce commit sign-off for web based commits | [Doc](/docs/checks/commitSignoffForWeb) |
-| R4 | requireSignedCommits | Require signed commits | [Doc](/docs/checks/requireSignedCommits) |
-| R5 | includePackageLock | Include package-lock.json in releases | [Doc](/docs/checks/includePackageLock) |
-| R7 | limitOrgOwners | Limit GitHub org owners to fewer than three | [Doc](/docs/checks/limitOrgOwners) |
-| R7 | limitRepoAdmins | Limit GitHub repo admins to fewer than three | [Doc](/docs/checks/limitRepoAdmins) |
-    
+- **Details**: [OpenJS-SCGv1.0-solo-retiring](/docs/checklists/OpenJS-SCGv1.0-solo-retiring)
 
 <!-- LIST:END -->
\ No newline at end of file
diff --git a/scripts/populate-checklists.js b/scripts/populate-checklists.js
index 7c523712..5328b146 100644
--- a/scripts/populate-checklists.js
+++ b/scripts/populate-checklists.js
@@ -28,10 +28,17 @@ Here you can find the official checklists for the Vision Board project:
 ${intro}
 
 ${checklists.map(checklist => {
-return `### ${checklist.code_name}
+const detail = `### ${checklist.code_name}
 - **Author**: ${checklist.author}
 - **Title**: ${checklist.title}
 - **Description**: ${checklist.description}
+- **Details**: [${checklist.code_name}](/docs/checklists/${checklist.code_name})`
+
+const checkListDetail = `## ${checklist.code_name} Checklist
+- **Author**: ${checklist.author}
+- **Title**: ${checklist.title}
+- **Description**: ${checklist.description}
+
 
 | Priority | Check | details | Info |
 | --- | --- | --- | --- |
@@ -41,7 +48,15 @@ ${checklist.checks
         return `| ${check.priority_group} | ${check.code_name} | ${check.title} | [Doc](/docs/checks/${check.code_name}) |`.trim()
     }).join('\n')}
     `
-}).join('\n')}
+
+const checkListDestination = path.join(process.cwd(), `docs/checklists/${checklist.code_name}.md`)
+writeFileSync(checkListDestination, checkListDetail)
+
+return detail
+}).join('\n')
+
+
+}
 `
 
 const checklistsListsDestination = path.join(process.cwd(), 'docs/projects/visionBoard/checklists.md')