If you're required to do any Vulnerability Scanning or need a Scanner that will actually perform a scan against KaOS, OpenVAS is capable of performing an assessment for you. Nessus will label the OS unsupported and end the scan regardless of Credentialed or non-credentialed scanning.
In order to perform a proper scan against KaOS you'll need to ensure you configure either "Full and Deep Scan" or "Full and Ultimate scan" configurations. This will allow the scanning to index the filesystem for installed applications and versions. Pacman is not checked for maintaining a package database but typically is not scored in an audit assessment so long as an Inventory list can be generate (Which is why Ultimate or Deep is required.)
Compliance scanning is possible as well. I recommend CIS Distribution Independent Linux to follow if require. You'll need to configure Openvas for CIS scan which can be done through: https://docs.greenbone.net/GSM-Manual/gos-4/en/compliance.html
I did not install Openvas on KaOS but rather ran my scan through a VM. Building OpenVAS on KaOS proved difficult.