This could be applicable, for example, to projects written in pure C/C++ and/or projects that don't have any GitHub Actions.

Incrementing the description for this issue:

When a project doesn't have dependencies or its dependencies are all unversioned, it should not be penalized for not having a Dependency-Update-Tool. It should instead get an inconclusive score (-1).

That's because dependency update tools (such as Dependabot and Renovatebot) can only update dependencies when they exist and are versioned, even if they are not pinned (e.g. ^1.2.3). We see this as applicable for C/C++ projects: e.g. github.com/9fans/plan9port has no dependencies but receives a 0 for Dependency-Update-Tool in Scorecard v4.13.1.

Yeah, ideally this would work for projects in any language, as long as they have zero versioned dependencies (including GH Actions, Docker images, etc).

However, different languages have different lockfile formats which would each need to be parsed, so starting with "pure" C/C++ projects (i.e. 95%+ of code is C/C++) makes sense.

Seems reasonable, although as you've pointed out detection will be the main problem.

This issue has been marked stale because it has been open for 60 days with no activity.