Reinhardt

Reinhardt (rh) is a focused security scanner for Django applications. It scans your codebase for common misconfigurations and security vulnerabilities.

Features

Reinhardt checks for:

• Configuration Security: DEBUG mode, ALLOWED_HOSTS, SECRET_KEY management.
• Modern Hardening: HSTS (including subdomains/preload), Content Security Policy (CSP), and Security Headers.
• Cookie Security: HttpOnly, SameSite, and Secure flags for Session and CSRF cookies.
• API Security: Django REST Framework (DRF) permission defaults (AllowAny) and throttling configuration.
• XSS Prevention: Template scanning for unsafe filters (|safe) and autoescape off blocks.
• Injection Risks: SQL injection sinks (.raw(), .extra(), cursor.execute()).
• Auth & Secrets: Weak password hashers, hardcoded secrets, and default admin URLs.

Installation

cargo install reinhardt

Usage

Scan the current directory:

rh

Scan a specific directory:

rh /path/to/django/project

Scan all files (including hidden and ignored ones):

rh --all-files

Initialize default configuration:

rh --init

Configuration

Reinhardt stores configuration in ~/.config/reinhardt/config.toml (or platform equivalent).

On first run, it will prompt you to set a default report output directory (default: ~/reinhardt_reports).

Reports are automatically organized into subdirectories by project name: ~/reinhardt_reports/<project_name>/reinhardt-scan-results-<timestamp>.md