Are you the client or the third party? It is hard to answer the question of contractual compliance without knowing what the contract entails.
If you are the client, you should have created the acceptance Test Cases or at least signed off on it. It is recommended that you just accept the third party's test results. Your company should execute them to have the assurance it does work as expected.
As to risk exposure, you need to execute a scan for vulnerabilities. There are several tools that do that.
Dynatrace is a well regarded one. You probably heard of the recent log4j vulnarability exposure, tools like Dynatrace look for entry points like that in the code.

hope this helps.
Gus Amaral