@sethmlarson I don't believe grepping for "pip install" and then failing is useful or healthy for anyone, which is what those sections appear to be pointing out.
I get that this is a hard problem to know the right context and to differentiate, which is why many of us are pointing out that it's a bad tool.
A bad tool is one we can't trust or that commonly reports false positives, which is where we are at.
@webology Pinned dependencies is one of the metrics I'd consider to be actually helpful, usually trips on GitHub Workflows and pip commands not being pinned commits/hashes which for release workflows should be pinned. Test/quality workflows though probably are okay to be unpinned, hard to differentiate though.
"CII Best Practices" is a checklist of things that can never be automated, so yeah I don't love that metric.
@webology holy shit I just noticed that one of the factors that contributes to the score is whether you put their badge in your README. Total fucking garbage.