Reinhardt (rh) is a focused security scanner for Django applications. It scans your codebase for common misconfigurations and security vulnerabilities.
Reinhardt checks for:
- Configuration Security:
DEBUGmode,ALLOWED_HOSTS,SECRET_KEYmanagement. - Modern Hardening: HSTS (including subdomains/preload), Content Security Policy (CSP), and Security Headers.
- Cookie Security: HttpOnly, SameSite, and Secure flags for Session and CSRF cookies.
- API Security: Django REST Framework (DRF) permission defaults (
AllowAny) and throttling configuration. - XSS Prevention: Template scanning for unsafe filters (
|safe) andautoescape offblocks. - Injection Risks: SQL injection sinks (
.raw(),.extra(),cursor.execute()). - Auth & Secrets: Weak password hashers, hardcoded secrets, and default admin URLs.
cargo install reinhardtScan the current directory:
rhScan a specific directory:
rh /path/to/django/projectScan all files (including hidden and ignored ones):
rh --all-filesInitialize default configuration:
rh --initReinhardt stores configuration in ~/.config/reinhardt/config.toml (or platform equivalent).
On first run, it will prompt you to set a default report output directory (default: ~/reinhardt_reports).
Reports are automatically organized into subdirectories by project name:
~/reinhardt_reports/<project_name>/reinhardt-scan-results-<timestamp>.md