What kind of security vulnerabilities are you looking for?
Of the OWASP Top 10, I think only XSS could be detected by static analysis, looking for any call to unsafe methods, making sure you're using SafeHtml et al. everywhere (and SafeHtmlUtils.fromSafeConstant and SafeHtmlUtils.fromTrustedString, and similar SafeStylesUtils and UriUtils methods, would still have to be manually inspected). I believe Google has some ErrorProne check for that (which would respect @SuppressIsSafeHtmlCastCheck et al.), but I don't think they opensourced it.