You’d have to audit whatever specific instance of compiler or interpreter they use to run it, too. Remember, Ken Thompson was able to hide an undetectable back door in UNIX by modifying a compiler to add the back door to the kernel whenever it was compiling it, and then modifying the compiler to add the back-door-adding code to the compiler code whenever it found it was compiling itself. Bam, no trace of malware in the source, all the checksums work out, and the only way you’d ever find out is by compiling a clean version of the compiler source with a clean version of the compiler and then starting your audit.