Rust Technical Audit Toolkit

72h Technical Due Diligence Flash for Rust codebases.

In 30 seconds, a founder, VC, or CTO can see the kind of diligence output the toolkit generates:

Ratatui is also included as a fourth generated benchmark sample: docs/sample-reports/ratatui.md.

Rust Technical Audit Toolkit
Repository: ./service
Overall score: 94/100
Crates: 1
Dependencies: 4 direct
Maintainability: 100/100
Architecture: 90/100
Testing: 79/100
Risks: 0 finding(s)

rta is a CLI-first technical due diligence tool for Rust codebases. It helps consulting engineers form a fast, structured view of architecture, maintainability, dependency posture, testing maturity, and delivery risk before deeper manual review.

This is not a security scanner. It is not a linter. It is an engineering assessment platform for commercial technical due diligence.

What It Analyzes

Install

Install the published CLI:

cargo install rust-technical-audit-toolkit

This installs the rta executable:

rta . --summary

The crates.io package is named rust-technical-audit-toolkit because rta is already published by another project. The binary name remains rta.

For local development:

cargo run -p rust-technical-audit-toolkit -- examples/sample-rust-service --summary

CLI Usage

rta [PATH] [--markdown|--json|--summary] [--output FILE]
rta scorecard [PATH] --json [--output FILE]

Examples:

rta . --summary
rta ./service --json
rta ./service --markdown --output audit-report.md
rta scorecard ./service --json --output scorecard.json

CI Scorecard

rta scorecard --json emits a small, stable JSON contract suitable for CI gates, dashboards, and PR comments:

{
  "schema_version": "rta.scorecard.v1",
  "overall_score": 94,
  "scores": {
    "dependency_health": 96,
    "code_quality": 100,
    "architecture": 90,
    "testing": 79,
    "risk_posture": 100
  },
  "risk_findings": {
    "total": 0,
    "high": 0,
    "medium": 0,
    "low": 0
  }
}

See .github/workflows/audit-pr.yml and docs/github-actions-pr-comment.md for a reusable GitHub Actions PR comment workflow.

Output Formats

--summary prints a compact executive snapshot for triage.

--json emits the full machine-readable audit report for dashboards, pipelines, or consulting portals.

--markdown generates a professional due diligence report with:

• Executive Summary
• Architecture
• Dependency Health
• Code Quality
• Testing
• Risks
• Recommendations
• Overall Score

Sample reports:

• Tokio audit sample
• Axum audit sample
• Sled audit sample
• Ratatui audit sample

Scoring Model

The first scoring model is intentionally transparent:

Scores are heuristic indicators, not absolute judgments. The tool is designed to make senior review faster by surfacing where manual diligence should focus. Unsupported metrics are omitted rather than fabricated.

Architecture

The workspace is split into:

• crates/audit-core: collection, analyzers, scoring, JSON rendering, Markdown rendering
• crates/audit-cli: CLI argument handling and command execution
• examples/sample-rust-service: small fixture repository for demos and regression checks

Analyzer modules implement a shared trait and consume a RepositorySnapshot. This keeps rules extensible and avoids coupling the CLI to assessment logic.

Roadmap

• Parser-backed Rust syntax analysis
• Cargo metadata integration
• Optional cargo outdated integration
• Trend comparison between audit runs
• HTML report output
• Rule severity configuration
• Repository ownership and contributor analysis

License

Licensed under either of:

• Apache License, Version 2.0
• MIT license