LangChain AI Security Score
Early governance signals exist but zero enforcement hooks leave 100K-star framework exposed.
Boundary Truth
Keep saved framework context separate from the next repo action
This page marks the saved scan, the right next step, and the limits as distinct zones.
Shown On This Page
Saved public scan from 2026-03-11
- This page preserves a saved public-framework scan for LangChain captured on 2026-03-11.
- The score, findings, and raw stats show what the public default-branch scan surfaced for LangChain at that time.
- Use it as comparison context for how a major framework exposes AI security gaps, not as a current read on your own repository.
Next Step
Run the free scan before treating this as current repo findings
- Use this saved framework example to decide whether the pattern is relevant enough to justify checking your own repository now.
- Run the free scan on your repo before treating this page as current delivery context or a paid-services trigger.
- Escalate to the baseline sprint only after a repo-level signal confirms a real gap, and keep monitoring after baseline work exists.
Limit
Useful explanation that still does not settle your repo
- This page does not show what your repo looks like right now or whether your controls already differ from this framework.
- It does not provide a repo-specific owner map, remediation order, or implementation promise for your codebase.
- The analysis and offer copy below explain the saved scan, but they do not extend the findings beyond the captured snapshot.
Overall Score: 40/100 saved snapshot (Grade: C)
This score is preserved from the public scan captured on 2026-03-11. It is comparative evidence for LangChain, not current findings for your repository.
Framework Limit
Keep saved framework context separate from current repo findings
Left column: comparison context visible on this page now. Right column: the current-repo and delivery claims this framework page still does not settle.
What This Framework Page Shows
Saved public scan from 2026-03-11
- This page preserves a saved public-framework scan for LangChain captured on 2026-03-11.
- The score, findings, and raw stats show what the public default-branch scan surfaced for LangChain at that time.
- Use it as comparison context for how a major framework exposes AI security gaps, not as a current read on your own repository.
What This Page Still Cannot Know
Current repo findings and paid follow-through need their own review
- This page does not show what your repo looks like right now or whether your controls already differ from this framework.
- It does not provide a repo-specific owner map, remediation order, or implementation promise for your codebase.
- The analysis and offer copy below explain the saved scan, but they do not extend the findings beyond the captured snapshot.
Need Current Repo Findings?
Use the free scan when you need current findings on your own repository instead of this saved framework example.
Key Findings
No Hook Enforcement [CRITICAL]
Zero pre-commit or Claude Code hooks despite 18 CI/CD workflows. CLAUDE.md rules (2 found) are advisory only -- nothing structurally prevents violations of documented conventions.
25 Potential Hardcoded Secrets [CRITICAL]
Secrets detected including patterns in tests. No automated secret scanning. No test credential convention distinguishes real secrets from test fixtures.
Monorepo Test Discovery Gap [HIGH]
Zero test files at root. Tests exist in libs/*/tests/ following monorepo convention, but governance tools scanning at root level see zero coverage.
Why LangChain's Governance Score Matters
LangChain is the most widely adopted framework for building LLM-powered applications. With 100,000+ GitHub stars, it defines patterns for how enterprises integrate large language models into production systems. Its governance posture matters not just for LangChain itself, but for the thousands of production applications built on its abstractions.
LangChain stands out in our portfolio for having the highest Context Hygiene score (75/100, Grade B). The presence of CLAUDE.md (253 lines with 2 explicit rules) and AGENTS.md shows that the LangChain team is aware of AI governance needs. But awareness without enforcement is a gap, not a solution. The 2 CLAUDE.md rules are advisory only -- nothing prevents an AI agent from violating them.
Enforcement Ladder Analysis
LangChain's enforcement distribution reveals a project in transition. At L2 (prose), it has the strongest context documentation in our portfolio. At L3 (templates), 18 GitHub Actions workflows provide solid CI automation. But at L5 (hooks), nothing exists -- the documented rules have no enforcement mechanism.
The monorepo structure adds complexity. Tests distributed across libs/core/, libs/community/, and other packages make governance assessment challenging. The 1,362 deprecated/dead code markers -- the highest in our portfolio -- suggest significant technical debt that governance tools could help manage.
What This Means for Teams Using LangChain
LangChain's rapid evolution means governance is a moving target. Breaking changes, deprecated abstractions, and evolving patterns make it essential to actively manage your LangChain dependency:
- Extend LangChain's CLAUDE.md in your own projects with application-specific rules for chain construction and prompt management
- Add pre-commit hooks that validate chain definitions, prevent prompt injection patterns, and enforce output parsing
- Implement integration tests that verify chain behavior end-to-end, not just individual component function
- Track deprecation warnings -- LangChain's 1,362 dead code markers indicate rapid API evolution
EU AI Act Compliance Impact
LangChain is the primary framework for building AI applications that interact with users. In EU AI Act terms, LangChain applications often fall under transparency requirements (Article 52) and may be classified as high-risk if used in regulated domains. With 18% compliance readiness, the critical gaps are in logging and audit trails -- LangChain's callback system provides hooks for this, but most applications do not implement them.
Recommendations
Immediate (Week 1): Expand CLAUDE.md from 2 rules to 10+ covering chain construction patterns, prompt safety, and output validation (2 hours). Add secret scanning to CI pipeline (1 hour). Add 3 pre-commit hooks for security-critical paths (2 hours).
Short-term (Month 1): Deploy L5 enforcement hooks for security-critical paths (libs/core/, libs/community/). Create unified test orchestration across monorepo packages. Implement deprecation cleanup plan for 1,362 dead code markers.
Strategic (Quarter): Build enforcement ladder documentation mapping LLM application patterns to EU AI Act requirements. Establish automated chain behavior testing in CI. Implement autoresearch optimization (20-50 iterations) to tune enforcement rules for LLM-specific patterns.
Saved Public Scan Data
These counts are preserved from the public framework scan on 2026-03-11. They are useful comparative evidence, not a current read on your repository.
EU AI Act Readiness
Estimated saved-snapshot readiness based on enforcement posture, documentation, and automated quality controls in the assessed public repo. EU AI Act enforcement begins August 2, 2026.
Next Step Path
Use the framework page to choose the right next move
These framework pages are saved comparison context. The free scan is the first current-state check for your repo. When the signal is real, the baseline sprint is the first paid move, and its request page reviews fit before delivery starts. Monitoring uses that same review path only after baseline work exists. This page is comparative context, not current repo findings.
Current Page State
Saved framework snapshot only
This page preserves comparison context from 2026-03-11. It does not settle what your repo looks like today or whether a paid engagement fits yet.
Right Next Move
Run the free scan on your repo
That gives the first current-state signal. Move to the baseline sprint only after a repo-level signal confirms a real gap, and keep monitoring for after baseline work exists.
Plain Next-Step Path
From this saved framework page, the next step is the free scan on your own repo. Request the baseline sprint only if that repo-level signal confirms a real gap, and keep monitoring for after baseline work is in place.
1. Free Scan
Free Scan
Use the free scan when you need current findings on your own repository instead of this saved framework example.
This page only gives saved framework evidence, so the free scan is the first current-state check for your repo.
Start here when a framework score is useful context but not current enough to act on.
2. Baseline Sprint
Baseline Sprint
Use this after your own scan or equivalent repo signal shows a real gap and you need a bounded remediation order. The request page reviews fit before any sprint is booked.
Keep this for after your own scan or equivalent repo signal confirms a real gap that needs a fix order.
This is the first paid move. The request page checks fit so current repo signal can turn into a concrete fix path before delivery starts.
3. Monitor
Monitor
Keep this for continuity after baseline work exists, not as the first paid move from a saved framework page. The request page reviews fit first.
Monitoring is continuity work only after baseline enforcement exists, not the first move from a saved framework page.
If all you have is comparative framework context, skip this for now and start with the free scan.
If all you have is this saved framework page, start with the free scan. The baseline sprint is the first paid move only after the signal is real, and monitoring only fits after baseline work exists.