Django AI Security Score
The most deployed Python web framework has 1,995 test files but zero enforcement hooks.
Boundary Truth
Keep saved framework context separate from the next repo action
This page marks the saved scan, the right next step, and the limits as distinct zones.
Shown On This Page
Saved public scan from 2026-03-11
- This page preserves a saved public-framework scan for Django captured on 2026-03-11.
- The score, findings, and raw stats show what the public default-branch scan surfaced for Django at that time.
- Use it as comparison context for how a major framework exposes AI security gaps, not as a current read on your own repository.
Next Step
Run the free scan before treating this as current repo findings
- Use this saved framework example to decide whether the pattern is relevant enough to justify checking your own repository now.
- Run the free scan on your repo before treating this page as current delivery context or a paid-services trigger.
- Escalate to the baseline sprint only after a repo-level signal confirms a real gap, and keep monitoring after baseline work exists.
Limit
Useful explanation that still does not settle your repo
- This page does not show what your repo looks like right now or whether your controls already differ from this framework.
- It does not provide a repo-specific owner map, remediation order, or implementation promise for your codebase.
- The analysis and offer copy below explain the saved scan, but they do not extend the findings beyond the captured snapshot.
Overall Score: 29/100 saved snapshot (Grade: D)
This score is preserved from the public scan captured on 2026-03-11. It is comparative evidence for Django, not current findings for your repository.
Framework Limit
Keep saved framework context separate from current repo findings
Left column: comparison context visible on this page now. Right column: the current-repo and delivery claims this framework page still does not settle.
What This Framework Page Shows
Saved public scan from 2026-03-11
- This page preserves a saved public-framework scan for Django captured on 2026-03-11.
- The score, findings, and raw stats show what the public default-branch scan surfaced for Django at that time.
- Use it as comparison context for how a major framework exposes AI security gaps, not as a current read on your own repository.
What This Page Still Cannot Know
Current repo findings and paid follow-through need their own review
- This page does not show what your repo looks like right now or whether your controls already differ from this framework.
- It does not provide a repo-specific owner map, remediation order, or implementation promise for your codebase.
- The analysis and offer copy below explain the saved scan, but they do not extend the findings beyond the captured snapshot.
Need Current Repo Findings?
Use the free scan when you need current findings on your own repository instead of this saved framework example.
Key Findings
No Hook Enforcement [CRITICAL]
Zero pre-commit or Claude Code hooks. Security-critical patterns like CSRF protection, authentication middleware, and SQL injection prevention are enforced only by human code review.
25 Potential Hardcoded Secrets [CRITICAL]
No automated secret scanning. Test fixtures are indistinguishable from real secrets. Django's SECRET_KEY pattern may normalize credential embedding in projects built on it.
No CLAUDE.md or Agent Instructions [HIGH]
No project-specific context for AI agents. 20+ years of accumulated conventions -- MVT architecture, ORM patterns, middleware ordering, security best practices -- exist only as tribal knowledge.
Why Django's Governance Score Matters
Django powers some of the most critical web applications in the world, from Instagram to Mozilla to the Washington Post. With 80,000+ GitHub stars and a 20-year track record, it is the most battle-tested Python web framework. Its governance posture affects every application built on it.
Django's L4 (test) coverage is the strongest in our audit portfolio: 1,995 test files with a 205% test-to-source ratio. This is excellent software engineering. But tests alone do not constitute governance. Without L5 hooks, nothing prevents a commit from bypassing Django's security patterns -- CSRF protection, authentication middleware, SQL injection prevention -- before reaching CI.
Enforcement Ladder Analysis
Django's enforcement distribution tells an interesting story. At L4 (tests), it is the strongest project we have audited, with nearly two test files for every source file. At L3 (templates), 17 GitHub Actions workflows provide solid CI/CD automation. But at L5 (hooks) and L2 (prose), there is nothing.
The result is a governance model that catches problems after they are committed, never before. For security-critical patterns -- CSRF tokens, authentication backends, middleware ordering -- this means a window exists between commit and CI where vulnerable code can enter the codebase.
What This Means for Teams Using Django
Django's extensive documentation and well-established patterns make it one of the safest frameworks to build on. The governance risk is in modification, not usage. If your team extends Django or builds applications on it:
- Add pre-commit hooks that validate security-critical patterns (CSRF, authentication, middleware ordering)
- Create CLAUDE.md documenting Django's MVT architecture, ORM conventions, and security requirements for AI contributors
- Implement secret scanning in CI to distinguish test fixtures from real credentials
- Use Django's built-in security checklist (
manage.py check --deploy) as a pre-deployment hook
EU AI Act Compliance Impact
Django itself is web infrastructure, not an AI system. But Django applications increasingly serve as the deployment layer for AI models -- serving predictions, managing training data, and providing user interfaces for AI systems. Organizations using Django in AI-adjacent contexts should ensure their governance layer addresses the 20% EU AI Act readiness gap, particularly in Article 15 (Cybersecurity) where Django's security middleware is a key defense.
Recommendations
Immediate (Week 1): Create CLAUDE.md covering MVT architecture, security patterns, and middleware conventions (1 hour). Add 3 pre-commit hooks for security-critical paths (2 hours). Audit and remediate 25 potential secrets (2 hours).
Short-term (Month 1): Deploy L5 enforcement hooks for security-critical paths (authentication, CSRF, SQL). Set up violation tracking for security pattern bypasses. Add automated secret scanning to CI pipeline.
Strategic (Quarter): Build enforcement ladder documentation mapping Django security patterns to compliance requirements. Establish automated regression testing for security middleware behavior. Implement autoresearch optimization to continuously improve enforcement coverage.
Saved Public Scan Data
These counts are preserved from the public framework scan on 2026-03-11. They are useful comparative evidence, not a current read on your repository.
EU AI Act Readiness
Estimated saved-snapshot readiness based on enforcement posture, documentation, and automated quality controls in the assessed public repo. EU AI Act enforcement begins August 2, 2026.
Next Step Path
Use the framework page to choose the right next move
These framework pages are saved comparison context. The free scan is the first current-state check for your repo. When the signal is real, the baseline sprint is the first paid move, and its request page reviews fit before delivery starts. Monitoring uses that same review path only after baseline work exists. This page is comparative context, not current repo findings.
Current Page State
Saved framework snapshot only
This page preserves comparison context from 2026-03-11. It does not settle what your repo looks like today or whether a paid engagement fits yet.
Right Next Move
Run the free scan on your repo
That gives the first current-state signal. Move to the baseline sprint only after a repo-level signal confirms a real gap, and keep monitoring for after baseline work exists.
Plain Next-Step Path
From this saved framework page, the next step is the free scan on your own repo. Request the baseline sprint only if that repo-level signal confirms a real gap, and keep monitoring for after baseline work is in place.
1. Free Scan
Free Scan
Use the free scan when you need current findings on your own repository instead of this saved framework example.
This page only gives saved framework evidence, so the free scan is the first current-state check for your repo.
Start here when a framework score is useful context but not current enough to act on.
2. Baseline Sprint
Baseline Sprint
Use this after your own scan or equivalent repo signal shows a real gap and you need a bounded remediation order. The request page reviews fit before any sprint is booked.
Keep this for after your own scan or equivalent repo signal confirms a real gap that needs a fix order.
This is the first paid move. The request page checks fit so current repo signal can turn into a concrete fix path before delivery starts.
3. Monitor
Monitor
Keep this for continuity after baseline work exists, not as the first paid move from a saved framework page. The request page reviews fit first.
Monitoring is continuity work only after baseline enforcement exists, not the first move from a saved framework page.
If all you have is comparative framework context, skip this for now and start with the free scan.
If all you have is this saved framework page, start with the free scan. The baseline sprint is the first paid move only after the signal is real, and monitoring only fits after baseline work exists.