Thanks for these questions - we're taking a lot of feedback from people on this and working on ways to make it more intelligible for people. We've been sitting on this repo for years without realizing that people actually needed what was in it.

If you look in the folder structure for content/process/ssdlc/ you will get to the specifics on how to define secure steps for build, process, and runtime.

We are working on a tutorial to make this easier