Before accepting applications on the AppExchange, Salesforce does a thorough security review of each application. During this review, they scan the app for security vulnerabilities. Besides the initial review, Salesforce also does random checks throughout the year. If apps are found to have vulnerabilities after being released on the AppExchange, developers will be made aware and the app will be removed from the AppExchange if the vulnerabilities are not fixed quickly.
Unfortunately, Salesforce does not provide a report of the initial or follow-up security reviews. However, we know the review entails both automated tests (like the ZAP scanner) and manual tests (like SQL injection tests).
Below are some resources that provide more information regarding this security review: