Security Review runs the following checks:

Safe file system permissions (protecting against arbitrary code execution)
Text formats don't allow dangerous tags (protecting against XSS)
PHP or Javascript in content (nodes and comments and fields in Drupal 7)
Safe error reporting (avoiding information disclosure)
Secure private files
Only safe upload extensions
Large amount of database errors (could be sign of SQLi attempts)
Large amount of failed logins (could be sign of brute-force attempts)
Responsible Drupal admin permissions (protecting against access misconfiguration)
Username as password (protecting against brute-force)
Password included in user emails (avoiding information disclosure)
PHP execution (protecting against arbitrary code execution)
Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
Views access controlled (protecting against information disclosure)