Skip to main content

Audit tools & languages

A full audit is broad. Hyrax runs a large catalog of checks across your whole repository — every audit, every time. You don't pick tools or build a profile: breadth is the point, because the value of catching the thing you weren't looking for is high.

For how an audit runs, see How Hyrax works. For what it produces, see Findings & suggestions.

What an audit covers

Every audit checks your code across six categories. A finding's category tells you which lens produced it.

  • Security — auth and access control, vulnerabilities, leaked secrets, supply-chain exposure, PII handling, and compliance gaps (GDPR, SOC 2, HIPAA).
  • Correctness — concurrency bugs, test coverage, state handling, resilience, accessibility, internationalization, and wasteful resource use.
  • Maintainability — code structure and naming, duplication, dead code, deprecated APIs, error handling, and stalled migrations.
  • Performance — slow queries and hot paths, frontend render and Core Web Vitals, and JavaScript bundle size.
  • Architecture — API contracts and documentation, versioning, input validation, database and schema risks, and tenant isolation in your own code.
  • Operations — observability, logging, configuration, deployment safety, dependency vulnerabilities and licenses, stale feature flags, monorepo health, and docs that have drifted from the code.

Dependency checks go beyond pattern matching: Hyrax runs your ecosystem's native package-audit commands and queries package registries for real vulnerability data, then layers on license, lockfile, and supply-chain checks.

Supported languages

Hyrax classifies and audits these languages:

PythonJavaScriptTypeScriptGo
RustSwiftRubyJava
KotlinC#C++C
PHPScalaDartElixir
ShellLuaMDX

A few things to know:

  • HCL / Terraform is not supported.
  • Polyglot repos still get audited. A repo that mixes supported and unsupported languages is audited fine — the unsupported parts are skipped, and the reasoning agents bring useful judgment even to languages without bespoke rules.

Audit depth by plan

The catalog above is what the Full audit runs. The audit comes in three depths that share the same engine and differ only in how much of the catalog they run — each a strict superset of the one below it:

  • Mini audit (Free) — a quick, lightweight pass over a focused subset of concerns, capped at a small set of findings. It runs automatically the first time you connect a repo.
  • Standard audit (Pro and Team) — a focused 24-tool sweep across security, correctness, maintainability, performance, and dependencies. It drops the architecture group and most of operations.
  • Full audit (Team) — the full ~39-tool catalog described above, including architecture analysis and the complete operations set.

In the app, the Run Audit button runs your plan's everyday audit — the Mini audit on Free, the Standard audit on Pro and Team. On Team, a separate Full audit button runs the complete catalog when you want the deepest sweep. See Workflows.

Where to go next