Have a security check that sees if SAST is set up for a project (e.g. CodeQL or ESLint with security checks). Scores can differ for certain types of checks, e.g. CodeQL is better than ESLint for security checks.

Also detect the type of CodeQL config that is used, are the strong rules enabled? or is the default only used?