I'm not sure what you mean about a screenshot tool? But deps in the build scripts/actions are not pinned. The setup.cfg has dependencies unpinned. requirements files also.
This includes unpinned deps that depend on xz btw. eg. Pillow which pins xz.
It detects a security policy and gives points for it. btw, this isn't a GH specific tool or from them. It supports other systems.
I agree with the tool that Django needs funding to fix real issues. 7.2/10 is not bad or average though.