I'm looking for something along the lines of debsecan that is able to:

• get a list of advisories from debian that have updates on security.debian.org
• compare this list with installed packages
• report pending security updates to the investigator

The current mig workflow would require explicitly starting investigations for each advisory.

@kpcyrd you may want to have a look at https://github.com/mozilla/scribe, specifically https://github.com/mozilla/scribe/tree/master/scribevulnpolicy. This generates vulnerability checks for platforms supported by clair, and the actions can be run using MIG's scribe module support.