Isn't this just checking packages against known cves, which wouldn't help for undiscovered or unannounced vulnerabilities. Let me know if I've misunderstood, I'm basing off the documentation site.

Also I find the irony goes hard in their recommendation of installing another attack surface (brew) on Linux and missing the point.