The latest articles on DEV Community by Abu Rayhan Alif (@aburayhanalif). https://dev.to/aburayhanalif https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1189433%2F8fa22dc5-6c8f-41c1-a934-3b92626e9c9e.png https://dev.to/aburayhanalif en Abu Rayhan Alif Fri, 10 Apr 2026 19:38:40 +0000 https://dev.to/aburayhanalif/automating-django-security-audits-with-sarif-support-meet-django-security-hunter-1018 https://dev.to/aburayhanalif/automating-django-security-audits-with-sarif-support-meet-django-security-hunter-1018 <p>In many Django + DRF projects, the same security and configuration issues show up again and again during PR reviews.<br> To address this, I built django-security-hunter — a lightweight CLI tool that surfaces common security risks and Django/DRF misconfigurations before code reaches production. It’s designed for teams that want automated checks in local development and CI, not just during review.<br> Coverage (high level): • Settings &amp; DRF: production Django settings and REST framework defaults / API exposure hints (when you pass --settings so Django loads).<br> • Code &amp; templates: risky patterns — XSS-style footguns, SSRF heuristics, unsafe deserialization, secrets in logs, hardcoded secret-like names, and SQL-injection heuristics.<br> • Reliability / performance hints: concurrency and ORM-style patterns where applicable rules fire.<br> • Optional: pip-audit, Bandit, and Semgrep when enabled in config or environment (external tools may need to be installed and on your PATH).<br> See docs/rules.md in the repository for details and rule IDs — findings are heuristic, so please triage before changing code or configuration.<br> Product features: • CLI-first with CI-friendly exit codes<br> • SARIF output (GitHub Code Scanning integration)<br> • GitHub Action available on the Marketplace<br> Quick start:<br> pip install django-security-hunter<br> django_security_hunter scan -p . -s yourproject.settings -y -f console<br> Use the same --settings value as DJANGO_SETTINGS_MODULE so settings-based rules (Django + DRF) run; many file-based checks still run without it.<br> Goal: make security checks faster and part of everyday development.<br> Note: Static analysis can produce false positives — always verify findings before taking action.<br> -Found a bug or potential security issue in the tool? Please open an issue in the repository.<br> -Contributions are welcome — PRs, issues, and feedback help improve the tool for everyone.<br> Repo: <a href="https://lnkd.in/g3vd_RqU" rel="noopener noreferrer">https://lnkd.in/g3vd_RqU</a><br> PyPI: <a href="https://lnkd.in/gkFDFAKt" rel="noopener noreferrer">https://lnkd.in/gkFDFAKt</a></p> django python security showdev