I Built an AI That Audits Your Entire Codebase With One Command

Shehryar Sohail — Sun, 15 Mar 2026 14:57:03 +0000

TL;DR: npx claude-audit scans your project for security vulnerabilities, code quality issues, dependency risks, and more — then gives you a letter grade and actionable fixes. No config needed.

The Problem

Every developer knows the feeling: you've been heads-down building for weeks, and suddenly you need to ship. But lurking in your codebase are hardcoded secrets, outdated dependencies with known CVEs, functions with 8 levels of nesting, and zero tests for your auth logic.

Professional code audits cost thousands and take weeks. Linters catch syntax issues but miss the big picture. AI code review tools exist, but most require complex setup, multiple config files, and a PhD in YAML.

I wanted something different: one command, zero config, a complete audit.

What I Built

Claude Audit is an open-source CLI tool that combines fast static analysis with Claude AI's deep reasoning to audit your codebase across 7 dimensions:

Security — hardcoded secrets, SQL injection, XSS, OWASP Top 10
Code Quality — complexity, deep nesting, dead code, anti-patterns
Performance — inefficient algorithms, blocking I/O, memory leaks
Architecture — modularity, coupling, separation of concerns
Dependencies — known CVEs, deprecated packages, supply chain risks
Testing — coverage gaps, missing tests, quality issues
Documentation — missing docs, stale comments, API gaps

Each category gets a score (0-100) and a letter grade (A-F). You get an overall score, a prioritized list of findings, and specific fixes for every issue.

Zero-Config Design

The entire experience is one command:

npx claude-audit

That's it. No install. No config file. No API key required (static analysis runs without one).

Want AI-powered deep analysis? Just set your Anthropic key:

ANTHROPIC_API_KEY=sk-ant-... npx claude-audit

What the Output Looks Like

The terminal output uses colored score bars, letter grades, and severity-tagged findings:

 CATEGORY SCORES

  🔒  Security        ██████░░░░░░░░░░░░░░  42/100  [ D ]  · 3 issues
  📊  Code Quality    ████████████░░░░░░░░  71/100  [ C ]  · 5 issues
  ⚡  Performance     █████████████░░░░░░░  78/100  [ C ]  · 2 issues
  📦  Dependencies    ████████░░░░░░░░░░░░  55/100  [ F ]  · 7 issues

  🚨 CRITICAL: Hardcoded JWT Secret
     File: src/config/auth.ts:14
     Fix:  Use a randomly generated 256-bit secret stored in env vars.

It also generates beautiful standalone HTML reports and Markdown files — perfect for PRs, team reviews, or compliance.

How It Works Under the Hood

Scanner — Respects .gitignore, detects languages/frameworks, reads source files (supports 30+ languages)
Static Analyzers — 15+ regex-based rules for secrets, 25+ known vulnerable packages, complexity/quality checks
Claude AI (optional) — Sends prioritized code context to Claude for deep 7-category analysis with specific file/line references
Reporter — Generates terminal, Markdown, HTML, or JSON output

The AI analysis is smart about context: it prioritizes entry points, auth files, config, and API routes. Large files are truncated. The prompt is engineered to return structured JSON that maps directly to actionable findings.

CI/CD Ready

# GitHub Actions
- name: Run Claude Audit
  run: npx claude-audit --json > audit.json
  env:
    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

Exit code 1 on critical issues means you can gate deployments. The --json flag outputs machine-readable results for custom integrations.

Built With

TypeScript — strict mode, fully typed
Commander — CLI framework
Anthropic SDK — Claude API integration
Chalk + Boxen + Ora — beautiful terminal output

Try It Now

npx claude-audit

Or with AI:

ANTHROPIC_API_KEY=your-key npx claude-audit

GitHub: github.com/itsmesherry/claude-audit

Stars, feedback, and contributions are welcome. This is v0.1.0 — the foundation is solid and there's a lot more coming (SARIF output, multi-provider support, GitHub Action, custom rules).

DEV Community: Shehryar Sohail