It's difficult to determine which whitelist comments (eg. WPCS: sanitization ok) are available to use. These should be documented, and it would be good if the documentation recommended a standard format such as // WPCS: sanitization ok.

Here's the list I have. Are there more?

• Escaping: XSS
• Sanitising: sanitization
• Nonce verification: CSRF
• Loose comparison: loose comparison
• Overriding WordPress globals: override
• Use of superglobal: input var