As far as I can tell, what you are looking for doesn’t exist yet.
Brainstorming around this need happened at NixCon in 2022, you can learn about the status of the effort at the time there:
Now, at least, we have moved forward, and have an SBOM generator.
Identifying packages is hard.
As far as I know, we still have a problem with this. It’s unclear to me where we are at with updating the PURL spec to support Nix. The following thread seems relevant Package URL's (purl) for Nix packages.
Then, on paper, one could use any vulnerability scanner out there (Trivy or Grype were mentioned at NixCon2022 for example). Maybe Vulnix can also fill that gap, as @nixinator pointed out.