/security-review really is pretty good.

But your codebase is unique. Slop in one codebase is very dangerous in another.