I don’t think there is, but I can’t answer for sure. I guess you can browse/download and scan the svn repository on sourceforge looking for malicious code. FOG is developed by mainly by 3 or 4 people working together remotely and usually on different parts of the project.
Since it’s open source and freely available via svn on sourceforge, it’s up to the user. Besides, fog is mainly a bunch of scripts and web pages that just use existing application packages available to multiple distributions of Linux (dhcpd, tftpd-hpa, vsftp, mysql, php, apache2, and others).