How do get a list of all pending security updates on Ubuntu?

If you are just looking to do this quickly once, instead of creating a separate repository and scripting up some automation and all that. Great if you aren't supposed to be making changes while auditing a system or whatever.

These two commands will spit out the list. Pipe to wc -l to see how many are behind. ;-)

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -oDir::Etc::SourceParts=/some/valid/dir/false -s

Still valid for older distros or if you have update repos off, but security on:

sudo apt-get upgrade -s | grep ^Inst | grep -i security 

or

$ sudo cat /var/lib/update-notifier/updates-available

355 packages can be updated.
1 update is a security update.

or

# List all updates available
apt list --upgradable

# List all updates that are security.
apt list --upgradable | grep "\-security"

# Count number of security updates available. and redirects the stderr like "WARNING: apt does not have a stable CLI interface. Use with caution in scripts." to null
apt list --upgradable 2>/dev/null | grep "\-security" | wc -l

Ref: https://askubuntu.com/questions/774805/how-to-get-a-list-of-all-pending-security-updates