Auditing the code is not enough, we would need to audit the state of the server since most of these servers allow ssh access the state of the system can be changed at any time by an operator. 

 An even further issue is that in the case of allowing an auditor in, it would expose secrets as well.