permitAll() on an admin/actuator/internal path
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Spring Security configuration matches a path containing /admin, /actuator, or /internal and allows it with permitAll(), so the endpoint is reachable with no authentication at all. These paths typically expose configuration, metrics, or privileged operations.
Why it matters
A Spring Security rule that matches /admin, /actuator, or /internal and grants permitAll() makes that path reachable with no authentication at all. These paths typically expose configuration, operational metrics, or privileged actions, exactly the surface an unauthenticated caller should never reach.
How to fix it
Replace permitAll() for this path with an authenticated() or hasRole(...)/hasAuthority(...) rule appropriate to who should actually reach it, and place the rule before any broader catch-all matcher so it takes effect.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo