Release profile ships debug symbols
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
Cargo.toml's [profile.release] sets debug = true (or an equivalent truthy level 1/2), so the release binary ships with full debug symbols instead of Cargo's stripped-by-default release profile. Narrow check: only the literal true/1/2 forms are detected, not the string-valued forms ("limited"/"full"/"line-tables-only").
Why it matters
debug = true in [profile.release] compiles full debug symbols into the release binary that ships to users, which makes the binary larger and gives anyone who obtains it much richer information for reverse engineering (readable function names, source paths, and structure that a stripped binary would not expose). This is often left over from local debugging and never toggled back before a release build goes out.
How to fix it
Set debug = false (or remove the line so it falls back to Cargo's default, which is false for the release profile) in [profile.release]. If symbols are needed for crash-reporting/backtraces in production, generate a separate symbols artifact intentionally (split-debuginfo, or a dedicated build step) rather than leaving full debug info in the shipped binary.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo