The plugin check_apt does not discover security updates that are tagged with repos with more than one dash in the name, like "xenial-infra-security", nor does it discover updates from UbuntuESM.

From the built-in doc:

Default is a regexp matching security upgrades for Debian and Ubuntu:

So the default regex is a bit tight. It is also unchanged from the version in Ubuntu Xenial (2.1.2-2ubuntu2) to the latest upstream version. Please consider updating the regex, matching UbuntuESM and repos with more than one dash in the name. Something like one of these may do:

^[^\(]*\(.* (Debian-Security:|Ubuntu:[^/]*/.+-security |UbuntuESM:[^/]*.+-security)
^[^\(]*\(.* (Debian-Security:|Ubuntu[^/]*/.+-security)

How to reproduce:

1. Use a system with an Ubuntu Pro subscription, and with some missing updates from ESM
2. Run check_apt

Example:

# /usr/lib/nagios/plugins/check_apt
APT WARNING: 1 packages available for upgrade (0 critical updates). |available_upgrades=1;;;0 critical_updates=0;;;0

# apt -s upgrade | grep -E '^Inst.+-security'
Inst bash [4.3-14ubuntu1.4] (4.3-14ubuntu1.4+esm1 UbuntuESM:16.04/xenial-infra-security [amd64])

# /usr/lib/nagios/plugins/check_apt -c '^[^\(]*\(.* (Debian-Security:|Ubuntu[^/]*/.+-security)'
APT CRITICAL: 1 packages available for upgrade (1 critical updates). |available_upgrades=1;;;0 critical_updates=1;;;0