diff --git a/linux/CHANGELOG b/linux/CHANGELOG
index d3e694d..8610ced 100644
--- a/linux/CHANGELOG
+++ b/linux/CHANGELOG
@@ -9,6 +9,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 
 ### Changed
 
+* IS_DEBIANSECURITY: check Debian Security repository from apt-cache policy output
+
 ### Deprecated
 
 ### Removed
diff --git a/linux/evocheck.sh b/linux/evocheck.sh
index fb7da68..cddb101 100755
--- a/linux/evocheck.sh
+++ b/linux/evocheck.sh
@@ -226,20 +226,9 @@ check_syslogconf() {
         || failed "IS_SYSLOGCONF" "syslog evolix config file missing"
 }
 check_debiansecurity() {
-    if is_debian_bullseye; then
-        # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
-        # https://www.debian.org/security/
-        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
-    elif is_debian_buster; then
-        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
-    elif is_debian_stretch; then
-        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
-    else
-        pattern="^deb.*security"
-    fi
-
-    source_file="/etc/apt/sources.list"
-    grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
+    # Look for enabled "Debian-Security" sources from the "Debian" origin
+    apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
+    test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
 }
 check_aptitudeonly() {
     if is_debian_squeeze || is_debian_wheezy; then