Inline onclick= attributes are the #1 blocker to strict CSP. The audit finds them plus other inline event handlers so you can migrate to addEventListener before tightening CSP.
Read the story behind this tool: Why this tool exists — security stack.