> TheAuditor / blog
determinism, ci, performance

Fast scans, cold-scan answers

TheAuditor's incremental scan now returns the same findings as a full scan, cross-file calls included. Run the fast one on every commit and trust it.

There has always been a quiet tax on running static analysis in a fast loop. The full scan is thorough but slow, so you save it for the nightly job or the pull-request gate. The incremental scan is quick enough to run on every commit, but you learn not to fully trust it, because “fast” usually means “cut a few corners,” and the corners it cuts are the cross-file ones that matter. So you end up with two answers and a nagging question about which one is real.

The two answers are now the same answer

TheAuditor’s incremental scan now returns results identical to a full, from-scratch scan. Not close, not mostly: the same findings, including the vulnerabilities that only exist because a value crosses from one file into a function defined in another. The fast path used to be the place cross-file calls could slip through. It isn’t anymore. We verified this across every language TheAuditor supports.

Why identical matters more than fast

Fast is nice. Identical is the point. When your local incremental scan, your commit hook, and your CI gate all produce the same result, a finding is a fact about your code rather than an artifact of which mode happened to run. Nobody argues about whether the pipeline “really” found something. A clean fast scan means a clean full scan, so you can gate on the quick one and mean it.

What it unlocks

Run the fast scan on every save and every commit and treat its output as authoritative. Let an AI agent lean on it the same way, caching what it learned, because the answer won’t shift underneath it between runs. The whole reason to pre-compute facts about a codebase is so nothing downstream has to guess, and that only holds if the facts are stable. Now they are, whether you asked the slow way or the fast way.

TheAuditor is pre-launch; the public binary ships when its hardening checks pass. It is the ground-truth layer for Code Reality Labs, proven honest by BenchProctor. Subscribe on the main site for launch news.

Was this useful?