auditx

One command.
Every vulnerability.
AI-ready report.

auditx auto-detects your stack, orchestrates 22 scanners in parallel — secrets, deps, SAST, dead code, complexity, IaC, and AI-pattern anti-patterns. One command. One normalized report.

npx auditx@latest .
[→] GitHub
terminal
$ npx auditx@latest .
 
[+] auditx v0.1.33
Scanning: /projects/my-app
 
Stack detected: Node.js · TypeScript · Docker
Running 22 scanners in parallel…
 
[+] gitleaks (secrets) clean 1.2s
[+] trivy (deps/CVEs) clean 2.1s
[+] semgrep (SAST) clean 3.4s
[-] semgrep (ai patterns) 3 findings 4.1s
[-] eslint (security patterns) 2 findings 1.8s
[+] jscpd (duplication) clean 5.2s
[+] tsc (typescript compiler) clean 3.1s
[+] lizard (complexity) clean 2.9s
[+] knip (dead code) clean 4.5s
 
[ OK ] Report written to: audit-report.md
auditx: [FAIL] 5 findings (0 critical · 2 high · 3 medium)
tab switch panelctrl-c exit--output agent | json | markdown | html
22
parallel scanners
100+
AI-pattern rules
0
config required
100%
local — no cloud

AI-assisted code ships fast.
It doesn't ship safe.

01
OPPORTUNITY
AI writes code in seconds
Copilot, Cursor, Claude Code — your team ships 3× faster. That's the upside.
02
RISK
AI doesn't audit itself
Silent catch blocks, floating promises, ts-any-cast, useEffect with no deps — these patterns ship constantly because no existing linter targets AI-generation anti-patterns specifically.
03
PAIN
Manual toolchain is brutal
Semgrep + Trivy + Gitleaks + ESLint + Knip = 5 CLIs, 5 JSON schemas, 5 update cycles, and still zero AI-pattern coverage.
04
SOLUTION
auditx is the trust layer
100+ custom rules built from real AI codegen failure modes. One command, parallel execution, structured output that AI agents can parse and self-fix.
// real AI-generated anti-patterns auditx catches
aipatterns.ts
WARNai-silent-catch try { ... } catch (e) { }
WARNai-floating-promise fetch(url) // no await, no .catch
WARNai-ts-any-cast const val = data as any
ERRORai-react-state-mutate state.items.push(newItem)
WARNai-promise-in-loop for (const x of items) { await save(x) }
[+] System Architecture
01DETECT
02RUN
03NORMALIZE
04OUTPUT
SCAN_ENGINE_INIT
Stack auto-detected

auditx walks your workspace 4 levels deep — finds package.json, pyproject.toml, go.mod, Dockerfile, *.tf, tsconfig.json, Prisma schemas. No config. No manifest. Only relevant scanners fire.

CPU_CORES [4]
ALLOCATING
C0
...
C1
3X
C2
...
C3
1X
LPT_QUEUE
3X
3X
2X
1X
1X
1X
1X
1X
CPU-aware orchestration

Each scanner has a cost weight (1–3). The LPT orchestrator fills CPU cores greedily — heavy scanners run alongside lightweight ones without hammering the machine, ensuring optimal CPU utilization.

DATA_SYNTHESIS
One schema, every scanner

Five scanners, five different output formats. auditx normalizes everything into a single Finding schema with stable fingerprints — agents can deduplicate across re-runs without re-parsing 5 JSON shapes.

HUMANPR_AGENTCI_GATEAI_MODEL
SIGNAL_DISPATCH
Five modes, one flag

Terminal for humans. Markdown for PR comments. HTML for interactive dashboards. JSON for CI dashboards. Agent mode is a single-line JSON optimized for context-window token efficiency.

Also available
--watchRe-run on file change
--fixAuto-apply fixable issues
--skip secrets,sastSkip categories
--ci --severity highExit 1 for CI gates
auditx hook installGit hooks in one command
Supported stacks
Node.jsTypeScriptPythonGoRustDockerTerraformReactNext.jsNestJSExpressDjangoSQLPrisma

Grouped by domain. Every applicable scanner
runs automatically.

SECRETS
Gitleaks
API keys, tokens, passwords — including git history
DEPS
Trivy + npm audit
CVEs in npm/pip/cargo with CVSS scores
SAST
Semgrep
SQL injection, eval, XSS, command injection, path traversal
IACUNIQUE
Trivy config
Dockerfile misconfig, k8s insecure defaults, Terraform

See what auditx catches — locally, in seconds.

[ TTY ]
example.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
import { createClient } from '@supabase/supabase-js'

// Hardcoded API key — auditx flags this
const supabase = createClient(
  'https://xyz.supabase.co',
  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.secret_key'
)

export async function fetchUsers() {
  const { data } = await supabase
    .from('users').select('*')
  return data
}
terminal
$ auditx .
CRITICALHardcoded API key
src/db.ts:5 · gitleaks/generic-api-key
fix: Move to .env and use process.env.SUPABASE_KEY
1 finding require attention.

Real findings, real format. Click the tabs.

[ TTY ]
# auditx Security Report

**Target**: `/projects/my-app`
**Scanned**: 2026-07-04 · **Duration**: 9.4s
**Stack**: Node.js · TypeScript · Docker
**Scanners**: semgrep · trivy · gitleaks · tsc · aipatterns

---

## Summary

| Category    | Critical | High | Medium | Low |
|-------------|----------|------|--------|-----|
| SECRETS     |    1     |  —   |   —    |  —  |
| DEPS        |    —     |  3   |   5    |  2  |
| AI_CODE     |    —     |  —   |   3    |  4  |
| TYPE_SAFETY |    —     |  1   |   2    |  —  |
| **Total**   |  **1**   |**4** | **10** |**6**|

> 5 critical/high findings require immediate attention.
[SECRETS] Hardcoded API key detected
src/config/db.ts:14 · gitleaks/generic-api-key
fix: Move to .env · Rotate the key · Add .env to .gitignore
[TYPE_SAFETY] Type error in async handler
src/api/routes.ts:52 · tsc/ts2304
fix: Add return type annotation to async function
[AI_CODE] Floating promise — ai-floating-promise
src/api/client.ts:82 · ai-floating-promise
fix: await the call or attach .catch()
[AI_CODE] TypeScript any cast — ai-ts-any-cast
src/utils/parser.ts:31 · ai-ts-any-cast
fix: Type the value properly instead of casting to any

Built for the agentic-coding era.

Claude Code, Cursor, Codex — agents write code at scale. --output agent gives them a clean JSON contract: stable fingerprints, file-to-finding maps, fixability flags, and a boolean ok gate. Loop until clean.

01RUN02PARSE03FIX04VERIFYAGENTLOOP
01RUN
$ auditx . --output agent
Pure JSON stdout — no spinners, no ANSI. Agent parses directly.
$ auditx . --output agent
ok: false1 critical · 2 high → agent branches
{
"ok": false,
"exitCode": 1,
"counts": { "critical": 1, "high": 2, "medium": 5 },
"files": ["src/config/db.ts", "src/api/client.ts"],
"findings": [
{
"id": "gitleaks-001",
"fp": "a3f91bc4d2e1",
"sev": "critical",
"cat": "SECRETS",
"file": "src/config/db.ts",
"line": 14,
"msg": "Hardcoded API key in source file",
"fix": "Move to .env · Rotate the key",
"fixable": true
}
]
}
01 / RUN
$ auditx . --output agent
02 / PARSE
"ok": false → branch to fix
03 / FIX
apply_llm_patch(file, findings)
04 / VERIFY
"ok": true → loop exits

Exit code 1 on findings.
Drops into any pipeline.

GitHub Actionsaudit.yml
# .github/workflows/audit.yml
name: Security Audit
on: [push, pull_request]
 
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run auditx
run: npx auditx@latest . --severity high --ci
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: audit-report
path: audit-report.md
Git Hooks
# Install pre-commit + pre-push hooks
auditx hook install
 
# Or install specific hooks
auditx hook install --pre-commit
auditx hook install --pre-push
 
# Hooks run on staged files only — fast.
# Full project scan on push.
[+]pre-commit: scans staged files only — milliseconds
[+]pre-push: full project scan before remote
[+]post-merge: catch regressions after pulls
[+]Preserves and chains existing husky hooks
[+]--staged-list: pass exact file list to runners

auditx vs. Industry Standards

BenchmarkSnykSonarQubeauditx
Execution SpeedCloud upload + ML scan (~45s+)Heavy Java build (minutes)[+]Local AST — under 10s
Execution ModelRequires SaaS accountRequires server hosting[+]100% local CLI — zero config
ScopeSCA, SAST, IaCSAST, code quality[+]22 scanners — Secrets, AI patterns, dead code + more
Data PrivacySends code to cloudDepends on host[+]Code never leaves machine
Setup TimeAPI keys, configsDatabase, JVM, plugins[+]0 minutes — npx auditx@latest .
PriceExpensive enterpriseExpensive enterprise[+]Free & open source — MIT