Rust Technical Audit Toolkit
72h Technical Due Diligence Flash for Rust codebases.
In 30 seconds, a founder, VC, or CTO can open a complete sample evidence pack and see the kind of diligence output the toolkit generates:
| Public repository | Overall | Evidence pack | Executive report |
|---|---|---|---|
| Tokio | 74/100 | docs/audit-packs/tokio | executive-report.md |
| Axum | 80/100 | docs/audit-packs/axum | executive-report.md |
| Ratatui | 81/100 | docs/audit-packs/ratatui | executive-report.md |
Sample packs are illustrative outputs from public repositories, not complete audits or judgments on those projects. The value is the repeatable evidence workflow: report, scorecard, evidence, risk register, review questions, and methodology.
Rust Technical Audit Toolkit
Repository: ./service
Overall score: 90/100
Crates: 1
Dependencies: 4 direct
Maintainability: 100/100
Architecture: 80/100
Testing: 73/100
Risks: 0 finding(s)
rta is a CLI-first technical due diligence tool for Rust codebases. It helps consulting engineers form a fast, structured view of architecture, maintainability, dependency posture, testing maturity, and delivery risk before deeper manual review.
This is not a security scanner. It is not a linter. It is an engineering assessment platform for commercial technical due diligence.
What It Analyzes
| Area | Signals |
|---|---|
| Repository overview | Crates, packages, workspace members, project size, language mix, Cargo manifests |
| Dependency analysis | Direct dependencies, critical dependencies, broad or non-registry declarations, maintenance indicators |
| Code quality | Lines of Rust code, module count, function count, average function size, large modules, God module candidates |
| Architecture review | Workspace crate count, module depth, crate-relative fan-out, module centralization, real top-level module cycles |
| Engineering risk | Bus factor concerns, single points of failure, complex modules, lack of tests, dependency concentration |
| Testing maturity | Unit test presence, integration tests, test function count, testing structure |
Install
Install the published CLI:
This installs the rta executable:
The crates.io package is named rust-technical-audit-toolkit because rta is already published by another project. The binary name remains rta.
For local development:
CLI Usage
Examples:
CI Scorecard
rta scorecard --json emits a small, stable JSON contract suitable for CI gates, dashboards, and PR comments:
See .github/workflows/audit-pr.yml and docs/github-actions-pr-comment.md for a reusable GitHub Actions PR comment workflow.
Output Formats
--summary prints a compact executive snapshot for triage.
--json emits the full machine-readable audit report for dashboards, pipelines, or consulting portals.
--markdown generates a professional due diligence report with:
- Executive Summary
- Architecture
- Dependency Health
- Code Quality
- Testing
- Risks
- Recommendations
- Overall Score
audit-pack generates a complete diligence folder with:
executive-report.md: human-readable technical due diligence reportscorecard.json: compact CI/dashboard scorecardevidence.json: machine-readable signals behind the assessmentrisk-register.json: structured findings with stable risk IDsreview-questions.md: score-driven and finding-driven follow-up questionsmethodology.md: scope, scoring model, and interpretation notes
Sample reports:
Scoring Model
The score is a weighted triage indicator: Dependency Health 20%, Code Quality 25%, Architecture 25%, Testing 15%, and Risk Posture 15%.
Code Quality normalizes large and God modules against the repository's own module-size distribution, using absolute thresholds only as floors.
Architecture uses structural signals: workspace crate count, average module depth, use crate:: fan-out between top-level modules, module centralization, and real top-level cycles.
Testing rewards visible unit and integration structure; Dependency Health highlights direct dependency surface, critical dependencies, broad declarations, and pre-1.0 API indicators.
Risk Posture converts material findings into a review discount rather than hiding them inside one opaque score.
90-100 is excellent and should mainly prompt verification of assumptions.
80-89 is strong with review items worth confirming before relying on the system.
65-79 is workable but warrants focused senior review and follow-up questions.
50-64 indicates material diligence concerns that can affect delivery confidence.
Below 50 means the repo needs remediation or deeper manual review before a favorable diligence conclusion.
Architecture
The workspace is split into:
crates/audit-core: collection, analyzers, scoring, JSON rendering, Markdown renderingcrates/audit-cli: CLI argument handling and command executionexamples/sample-rust-service: small fixture repository for demos and regression checks
Analyzer modules implement a shared trait and consume a RepositorySnapshot. Report and evidence-pack renderers stay in the core crate so the CLI can remain a thin delivery layer.
Roadmap
- Optional
cargo outdatedintegration - Trend comparison between audit runs
- HTML report output
- Rule severity configuration
- Repository ownership and contributor analysis
License
Licensed under either of:
- Apache License, Version 2.0
- MIT license