Here is the Keytool syntax to add a public key to trust:
keytool.exe -importcert -noprompt -trustcacerts -alias display_name_for_CA -file file_containing_CA_key_to_trust -keystore path_to_CACERTS_or_truststore -storepass changeit_for_default_cacerts_or_custom_truststore_password
Keytool syntax to generate a list of CA public keys that are trusted:
keytool.exe -list -keystore CACERTS_or_custom_truststore -storepass changeit_for_default_cacerts_or_custom_truststore_password > trust_file_list.log
I have gotten in the habit of running the list function to dump out current state every time I import anything into the trust store. That way the log is always current.
Now you can make tasks whose relevance parses trust_file_list.log to determine if the proper certs are present.
Likewise you could do an analysis of trust_file_list.log to create a report.