diff --git a/docs/gitlab/drupal/index.md b/docs/gitlab/drupal/index.md
index 8262a9e8b502506a05d7bd497b555aa64b8526a0..6263da2ec210370304c95b8aebc88fe3bed2730b 100644
--- a/docs/gitlab/drupal/index.md
+++ b/docs/gitlab/drupal/index.md
@@ -225,7 +225,7 @@ First we have to do some preparation. This is done in the `before_script` sectio
 
 First we perform a `composer update` which all dependencies without the development part.
 
-The we check for outdated packages:
+Then we check for outdated packages:
 
 ```yml
 composer outdated --minor-only --strict --no-interaction $OUTDATED_EXTRAS
@@ -245,10 +245,52 @@ Rules, when the job should run:
 
 - `$IGNORE_COMPOSER_EXTENDED_AUDIT` == "0"
 
+#### Check 4 Security Vulnerability Advisories
 
+We start a docker image for `php` with the specifies versions:
 
-#### Check 4 Security Vulnerability Advisories
+- `PHP_MAJOR_VERSION`
+- `PHP_MINOR_VERSION`
+
+The following jobs must run before successfully. Some are optional, which means, if they exist, this job waits for them
+to complete:
+
+- [Check 4 Updates](#check-4-updates)
+    - uses its artefacts
+    - optional
+- [Build Prod Site](#build-prod-site)
+    - uses its artefacts
+    - optional
+- [Build Prod Site NG](#build-prod-site-ng)
+    - uses its artefacts
+    - optional
+- [Build Site](#build-site)
+    - uses its artefacts
+    - optional
+
+First we have to do some preparation. This is done in the `before_script` section.
+
+- [.prepareaccess](#prepareaccess)
+- [.preparecomposerplugins](#preparecomposerplugins)
+
+First we perform a `composer update` which all dependencies without the development part.
+
+Then we check for outdated packages:
+
+```yml
+composer diagnose --no-interaction || true
+composer audit --no-dev --locked --format=table
+```
+
+Rules, when the job must not run:
+
+- the commit message contains `SKIP_check4security` and `$CHECKUPDATES` != "yes"
+- the commit message contains "Merge branch 'develop' into 'main'"
+- the commit message contains "Merge branch 'release' into 'main'"
+
+Rules, when the job should run:
 
+- `$IGNORE_COMPOSER_AUDIT` == "0"
 
 #### Download DB