Management or admin endpoints exposed in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Config exposes sensitive actuator/management endpoints (exposure.include=* or env/heapdump/shutdown), or enables the shutdown endpoint. These endpoints leak config and secrets or let an unauthenticated caller stop the app.
Why it matters
Exposing management endpoints like the Spring Actuator env, heapdump, or shutdown endpoints hands out configuration, environment variables, memory dumps, or a remote shutdown to whoever can reach them. When exposure is set to "*" these are often reachable without authentication. That turns an operational convenience into an information leak or a denial of service.
How to fix it
Expose only the endpoints you need (typically health and info) instead of "*", and never expose shutdown in production. Put management endpoints behind authentication or bind them to an internal port or network. Drive exposure from an environment variable so non-production can differ.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo