It seems to have become easier, and thus more common for software to be deployed by simply checking it out of a git repository, rather than going via release versions. This makes it difficult to know what upstream security issues might exist.
I wonder if a generic solution might be possible, by tagging git objects of various sorts as being insecure, allowing a checked out version to be compared against known security issues in the upstream repository in a generic way.
Have any such approaches been explored already?
