...
Provide named security contacts per project (at least two contacts)
Define security issue reporting process in SECURITY.md with reference to Hyperledger reporting process
Follow security issue disclosure process - see Disclosure task force
Leverage automated scans, tooling depends on language but usually includes some combination of:
linters
Software Composition Analysis dependency scans, e.g. Dependabot, Govulncheck
Static Application Security Testing (SAST) aka static analysis scans, e.g. CodeQL, Snyk
Pin dependencies and keep dependencies up to date, e.g. using Dependabot, although be wary of auto-upgrades and look for malware.
Engage with Hyperledger staff on possibility of security audits for Graduated project major releases, address audit results and socialize
Review and obtain OpenSSF Best Practices Badge - criteria
Sign release artifacts (TBD) - see proposed Security Artifact Signing task force
...