The existing tool for this (I think there may be multiple, but the one I'm familiar with) is debsecan. https://wiki.debian.org/DebianSecurity/debsecan
Which seems to have all the features you'd want: https://scottlinux.com/2015/04/01/debsecan-get-an-emailed-report-of-pending-debian-security-updates/ -- "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu
