Drupal Site Audit

A Drupal site auditing framework that identifies configuration issues, performance problems, and best practice violations. Tracks all installed modules with versions and detects pending updates, including security releases.

The module is free and open source, and works completely standalone. Optionally, it can connect to DruScan, a centralized dashboard where you can see audit scores and module versions from all your Drupal projects in one place.

What you get

• Module inventory: Complete list of installed modules with current versions, available updates, and security patches flagged.
• Health scores: 0-100 scores for performance, SEO, content structure, Views, caching, fields, and more.
• Project Score: Overall weighted score combining all audit results.
• Detailed reports per category: Each submodule has its own report page showing detected issues, current configuration, and specific recommendations to improve that category's score.

Works great as a quality gate for AI-generated code

AI coding tools are now part of many Drupal development workflows. The code they produce often works on the first run, but it does not always follow Drupal community standards, tends to use deprecated APIs, and occasionally introduces security problems that are not immediately obvious.

Typical use cases

Taking over a client project. Run a full audit before writing a single line of code. You get a scored inventory of every installed module, pending security updates, unused fields, misconfigured Views, cache configuration issues, and performance problems. You walk into the kickoff meeting with actual data instead of guesses.

Pre-deploy validation. Enable audit_phpstan, audit_phpcs, and audit_cache in your staging environment. Before every deploy, run the audit to confirm that custom code meets Drupal standards and that caching is configured correctly for production.

Ongoing maintenance across multiple projects. Install the module on every client site and connect to DruScan to see pending updates, security advisories, and health scores for your entire portfolio from one dashboard, without logging into each site individually.

Code complexity review. Use audit_complexity to identify modules or components that have grown too complex over time and are becoming a maintenance risk. Useful when deciding where to refactor before adding new features.

Submodules

Install only what you need:

• audit_status: Server compatibility checks covering PHP version, database version, Drupal core version, memory limits, and basic environment requirements.
• audit_cron: Cron configuration and execution status. Detects if cron has not run recently, if there are stuck queues, or if the cron key is exposed.
• audit_modules: Analyzes the installed module landscape. Flags modules that are no longer maintained, have no stable release, or are enabled but appear unused.
• audit_updates: Tracks every installed module and Drupal core version, detects pending updates, and flags security releases.
• audit_security: Checks security-related configuration including file permissions, admin account exposure, text format settings, and other common security misconfigurations.
• audit_performance: Reviews cache configuration, CSS and JS aggregation, BigPipe setup, and other settings that directly affect page load times on production.
• audit_cache: Deep inspection of the Drupal caching layer. Checks cache tags, cache contexts, Dynamic Page Cache configuration, and common patterns that cause cache invalidation problems or UNCACHEABLE responses.
• audit_fields: Detects unused fields attached to content types and other entities, orphaned field storage, and field configuration that adds database weight without being used.
• audit_views: Reviews Views configuration for performance issues including missing caching, expensive queries, and display configurations that generate N+1 database calls.
• audit_entity: Analyzes entity type configuration, bundle setup, and common misuses of the Entity API. Useful for catching architectural problems in custom modules.
• audit_complexity: Measures code complexity across custom modules. High cyclomatic complexity is a maintenance risk and this submodule flags components that have grown too complex to change safely.
• audit_twig: Inspects Twig templates for code quality problems including bypassed auto-escaping, deprecated functions, and patterns that break Drupal's render pipeline.
• audit_images: Checks responsive image configuration, image style setup, and whether images are being served at appropriate sizes.
• audit_blocks: Reviews block configuration and placement. Detects blocks with missing or incorrect cache configuration and layout problems that cause unnecessary cache invalidation.
• audit_menu: Audits menu configuration and link structure. Detects orphaned menu links, broken references, and menus that are enabled but never used.
• audit_seo: Checks technical SEO configuration including Metatag setup, Pathauto patterns, XML sitemap, robots.txt, and canonical URLs.
• audit_database: Analyzes database size, table overhead, and optimization opportunities. Flags tables that have grown unusually large or have not been optimized.
• audit_i18n: Reviews multilingual configuration. Detects translation modules that are enabled but not fully configured, content types without translation enabled, and interface language setup problems.
• audit_search_api: Checks Search API configuration, index status, and common problems with Solr or other backend setups.
• audit_watchdog: Analyzes the database log for recurring errors and warnings. Useful for spotting PHP notices or deprecation warnings that are silently piling up.
• audit_phpstan: Runs static code analysis on custom modules using PHPStan. Catches type errors, undefined variables, incorrect API usage, and other problems that only appear at runtime without static analysis. Enable in development or staging environments only.
• audit_phpcs: Checks custom module code against Drupal coding standards using PHP_CodeSniffer. Enforces the same standards the Drupal community applies to contributed modules. Enable in development or staging environments only.
• audit_phpunit: Analyzes the test structure of custom modules. It does not execute tests directly (that belongs in your CI/CD pipeline) but checks whether tests exist, follow PHPUnit conventions for Drupal, and are correctly organized. Useful for identifying custom modules that have no test coverage at all.
• audit_all: Enables all recommended submodules in a single step. Convenient for a first audit of an unfamiliar project.

Installation

composer require drupal/audit
drush en audit

Common setup for agencies managing client sites:

drush en audit audit_updates audit_security audit_performance audit_cache audit_seo

Full audit of an inherited project:

drush en audit_all

Code quality submodules for development and staging environments:

drush en audit_phpstan audit_phpcs audit_phpunit

After enabling the module, go to Admin > Reports > Site Audit to see your first report.

Production use

Most submodules run fine on production. They perform read-only inspections and do not modify files, configuration, or database content. The exceptions are audit_phpstan, audit_phpcs, and audit_phpunit, which require dev dependencies and should only be enabled in development or staging environments.

Optional: connect to DruScan dashboard

If you manage multiple Drupal projects, checking audit results site by site gets old fast. DruScan is a centralized dashboard where you can see all your projects together. The main advantage is having a single place to check which projects have pending module updates, which ones have security patches waiting, and how each project scores across all audit categories.

Once configured, the module sends only aggregate scores (0-100 per enabled submodule) and the list of installed modules with versions via cron. No code, content, user data, or configuration details ever leave your server. The full audit report stays on your Drupal installation.

Registration is free and supports unlimited projects. For more details on available plans, visit druscan.com.

Does this replace a professional audit?

No. The module automates detection of common issues and saves hours of manual work, but it does not replace a senior developer reviewing custom code and architectural decisions. Think of it as a thorough first pass that catches the most common problems and gives you a structured baseline to work from.