I wrote a little, but useful helper. pacaudit checks installed packages against known vulnerabilities listed on https://security.archlinux.org. You should run it after an update because we don’t check for packages that are fixed. It would be no problem to check against all known vulnerabilities, just change the source URL in the code (see the github link), yet it makes no sense to me for a rolling release distribution.
You can install it with
yaourt -S pacaudit
You have to import my gpg key before:
gpg --recv-keys 7328F6E376924E4EE266381D3D9C808E038A615C
or get it from github and compile it with
go build -o pacaudit -ldflags "-s -w"
Comments on AUR, github or via email are highly appreciated!