Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

also what you're pointing at should change at every revision, so it's probably less overhead to just maintain a list of what you care about and the certs you expect the code to be signed with at those paths

By revision, you mean when a plist is modified?

no, I mean when the 'vendor' updates the software as that would change the target's hash

in practice the launchd jobs barely ever get revised once something works close to as intended