Django + DRF security, reliability and performance inspector
Project description
django_security_hunter
Django + DRF Security, Reliability, and Performance Inspector.
django_security_hunter helps backend teams catch risky patterns early: security misconfigurations, authorization gaps, abuse-protection weaknesses, API correctness issues, and performance/reliability smells.
Why django_security_hunter
AI-assisted coding improves speed, but it can also introduce hidden backend risks.
django_security_hunter gives fast, actionable feedback during development and in CI before code reaches production.
Features
- Static and configuration scanning for Django + DRF projects
- Runtime profiling mode scaffold for query explosion / N+1 detection
- Output formats:
console,json,sarif - CI-friendly exit codes by severity threshold
- GitHub Security integration through SARIF
Documentation
Installation
From PyPI:
pip install django-security-hunter
Python package / CLI: django_security_hunter.
From source (clone into a folder name that matches the project):
git clone https://github.com/abu-rayhan-alif/djangoGuard.git django-security-hunter
cd django-security-hunter
python -m venv .venv
# Windows PowerShell
.venv\Scripts\Activate.ps1
pip install -e .[dev]
Quick Start
- Open a terminal in your Django project root (the directory that contains
manage.py). - Run:
django_security_hunter scan --project . --format console
To load Django settings-based rules (DJG001–DJG012), pass your settings module:
django_security_hunter scan --project . --settings yourproject.settings --format console
Other examples:
django_security_hunter scan --project . --format json --output reports/django_security_hunter.json
django_security_hunter scan --project . --format sarif --output reports/django_security_hunter.sarif
Commands
django_security_hunter scan
Runs static/config analysis and emits a report.
django_security_hunter profile
Runs runtime-oriented profiling checks (currently scaffolded in v0.1).
django_security_hunter init
Creates a default django_security_hunter.toml file in the target project.
CLI Options
--projectProject root path--settingsDjango settings module (example:config.settings)--formatconsole | json | sarif--outputOutput file path--thresholdINFO | WARN | HIGH | CRITICAL
Configuration
Configuration is loaded in this order:
django_security_hunter.toml(project override)pyproject.toml->[tool.django_security_hunter]
Example:
severity_threshold = "WARN"
query_count_threshold = 50
db_time_ms_threshold = 200
Rule Catalog (V1 Target)
| Rule ID | Severity | Description |
|---|---|---|
| DJG001 | CRITICAL | DEBUG=True in production |
| DJG002 | HIGH | Suspicious/hardcoded SECRET_KEY |
| DJG020 | HIGH | DRF default permissions missing or AllowAny |
| DJG040 | WARN/HIGH | Query count per test above threshold |
| DJG041 | HIGH | Repeated query signature indicates N+1 |
| DJG070 | HIGH | Risky XSS usage patterns detected |
Full rules and implementation progress can be maintained in
docs/rules.md.
Output Formats
Console
Human-readable output for local development.
JSON
Stable schema for automation and custom dashboards.
SARIF
SARIF v2.1.0 output for GitHub PR annotations and Security tab integration.
Exit Codes
0: No findings at or above threshold2: One or more findings at or above threshold
GitHub Actions Integration
Workflow file: .github/workflows/ci.yml
On every push and pull request:
- installs dependencies
- runs tests
- generates SARIF report
- uploads SARIF to GitHub Security
Docker
Build and run:
docker build -t django_security_hunter:local .
docker run --rm django_security_hunter:local django_security_hunter scan --project /app --format console
Using Docker Compose:
docker compose run --rm django_security_hunter django_security_hunter scan --project /app --format console
Limitations
- Some future rules are heuristic and may produce false positives
- Runtime profiling depends on project test coverage quality
- Rule precision improves with project-specific tuning and allowlists
Roadmap
- Django settings hardening rules (
DJG001-DJG012) - DRF auth/permission/throttle checks (
DJG020+) - Static code pattern rules (XSS/SSRF/deserialization/secrets)
- Concurrency and atomicity heuristics (
DJG050+) - Runtime N+1 and DB-time evidence improvements (
DJG040+) - Optional dependency vulnerability integrations
Contributing
Contributions are welcome.
Please follow these guidelines:
- Open an issue for major changes
- Add tests for every new rule
- Keep rule IDs stable and documented
- Include remediation hints with findings
License
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_security_hunter-0.1.1.tar.gz.
File metadata
- Download URL: django_security_hunter-0.1.1.tar.gz
- Upload date:
- Size: 19.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c61e694f3bcc54b980bdea3cd92732c770b1bc7f9899fa6951c32af6a6629bf
|
|
| MD5 |
10f20068406c9b647a0cc796ddaaaf34
|
|
| BLAKE2b-256 |
3e2094e56b62a3edef2123f8d8d27772f79fe2582851e569187b83f78eb9b1a0
|
File details
Details for the file django_security_hunter-0.1.1-py3-none-any.whl.
File metadata
- Download URL: django_security_hunter-0.1.1-py3-none-any.whl
- Upload date:
- Size: 21.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
24ea3ca17ae04046ef7e64c01a8b0fb1ce0fd17ac584edc4c716faa93edf45f7
|
|
| MD5 |
ff06c135845dbadac46f6f62b4437180
|
|
| BLAKE2b-256 |
9ec8a476ac2d90d5cc0f2f9b1f4a4d1bcc4ff57dc88f9f23a517ee01309e4317
|
