diff --git a/2024-04-hackathon.md b/2024-04-hackathon.md
index 41ba9a0..c3c4448 100644
--- a/2024-04-hackathon.md
+++ b/2024-04-hackathon.md
@@ -40,7 +40,9 @@ For raising issues around pq-code-package generally:
 ## Onboarding projects
 
 - [List of projects & contacts we hope to onboard](candidate-projects.md)
-- [getting started with setting up a new project](project-onboarding.md)
+- [Github project creation](project-onboarding.md)
+- [source code requirements](source-requirements.md)
+- [code scanning](code-scanning.md)
 - Common documentation
 
 ## Other useful links
diff --git a/code-scanning.md b/code-scanning.md
new file mode 100644
index 0000000..085b9fe
--- /dev/null
+++ b/code-scanning.md
@@ -0,0 +1,13 @@
+# Code Scanning
+
+# OSSF Scorecard
+
+Each project should integrate a scan using the OSSF scorecard
+
+See https://github.com/ossf/scorecard
+
+# vulnarability scanning
+
+tbd
+
+# linting & other checks
\ No newline at end of file
diff --git a/project-onboarding.md b/project-onboarding.md
index 1a461d7..f960a4b 100644
--- a/project-onboarding.md
+++ b/project-onboarding.md
@@ -5,6 +5,8 @@
 - Project source should be either under the Apache-2.0 or MIT license
 - Documentation should be CC-BY-4.0
 
+Any other license will need legal approval
+
 ## Creating a Github repo
 
 1. Decide on an initial name for the repo. 
@@ -32,4 +34,15 @@
                 - any other relevant access into
         - anything else relevant...
 
-    - Alternatively in the issue specify the source repo to migrate the code from & engage in a discussion as to the best way to acheive this
+    - Alternatively in the issue specify the source repo to migrate the code from & engage in a discussion as to the best way to achieve this
+
+## Teams
+
+All access should be controlled through teams
+
+To be written
+
+Branch Protection
+Approvals
+other settings
+project setup
diff --git a/source-requirements.md b/source-requirements.md
new file mode 100644
index 0000000..169f65e
--- /dev/null
+++ b/source-requirements.md
@@ -0,0 +1,16 @@
+# Source code requirements
+
+## Licensing
+
+All source code should contain SPDX license headers.
+
+
+* https://spdx.dev/learn/handling-license-info/ for more documentation
+* https://spdx.org/licenses/ has a full list of labels
+
+The following are ok to use, others need legal review
+
+| SPDX Tag | Example | Used for |
+| --- | --- | --- |
+Apache-2.0 | | Source code|
+CC-BY-4.0 | | Documentation 
\ No newline at end of file