This is interesting but quite unclear.
The OP talks about “code audit” (assuming all code is available, which is obviously not the case for blobs). Follow-ups talk about “security audit”.
Without a clear goal, it kind of makes no sense.
Even “security” is too broad.