We recently started using GitHub CodeQL (formerly Semmle) at work, and as a multilanguage code and security scanning tool I have found it quite useful and informative. IIUC, it's free for open source projects and easy to turn on using actions.
https://securitylab.github.com/tools/codeql/ Would this be something we could/would want to enable for the avro repo? If anyone wants to take a look at the output, I have it running (with extra checks) on my fork: https://github.com/kojiromike/avro/pull/8
