langdoctor is a static analysis tool designed to audit LangGraph, LangChain, and Langflow projects for production-readiness and security vulnerabilities. It addresses risks specific to agent frameworks by scanning codebases for known CVEs, insecure configurations, hardcoded secrets, and other settings that can lead to exploitation in production environments. The tool is particularly relevant for developers and teams working with these frameworks who need to identify issues that generic security scanners may miss, such as framework-specific misconfigurations or deprecated APIs.
The platform performs deterministic, offline scans without making network calls, ensuring that source code remains local and private during analysis. Its advisory database, which includes up-to-date CVEs and known-exploited vulnerabilities (KEVs), ships within the package, allowing for reproducible and consistent results. langdoctor conducts 25 distinct checks, each with a stable identifier, covering categories like known CVEs, checkpointer configuration, runtime settings, secrets management, exposure risks, and project hygiene. Findings are output in multiple formats, including SARIF, JSON, and markdown, and the tool provides exit codes to facilitate integration with automated workflows.
langdoctor is designed for seamless integration into CI pipelines, supporting GitHub Actions, GitHub code scanning via SARIF output, GitLab CI, and pre-commit hooks. Users can suppress findings by check ID, deep-link to documentation, and configure CI to fail based on severity thresholds. The tool does not require API keys or LLM access and completes scans in a matter of seconds, making it suitable for both local development and continuous integration environments.
The tool is distributed as an open-source package under the MIT license and can be installed via pipx. Its development is attributed to Balázs, and updates to the advisory database are managed as data-driven patch releases, allowing users to maintain reproducible scans by pinning versions in CI. langdoctor is positioned as a framework-specific security and production-readiness auditor, complementing general-purpose SAST tools by targeting the unique risks of the LangGraph and LangChain ecosystem.
In the Other dev tools space, langdoctor takes a focused approach. It automates production-readiness and security audits for agent-based AI projects built with LangGraph or LangChain. It is built as an open-source project for AI developers and DevSecOps engineers. langdoctor is open source under the MIT license. It runs on the web and the command line.
Behind langdoctor is elaz48, and the product first shipped in 2026. Development happens publicly on GitHub with 10 commits in the last 90 days. PulseGate's similarity index finds few close equivalents — langdoctor occupies a relatively distinct niche. Key capabilities include security audit, production-readiness checks, and CLI interface.
Latest indexed changes and source events
Other apps tracked under the same category.