If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.
These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)
grep security /etc/apt/sources.list > /tmp/security.list sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -oDir::Etc::SourceParts=/some/valid/dir/false -s
Still valid for older distros or if you have update repos off, but security on:
sudo apt-get upgrade -s | grep ^Inst | grep -i security
$ sudo cat /var/lib/update-notifier/updates-available 355 packages can be updated. 1 update is a security update.
# List all updates available apt list --upgradable # List all updates that are security. apt list --upgradable | grep "\-security" # Count number of security updates available. and redirects the stderr like "WARNING: apt does not have a stable CLI interface. Use with caution in scripts." to null apt list --upgradable 2>/dev/null | grep "\-security" | wc -l