SQL logging enabled in a production profile
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
spring.jpa.show-sql=true is set in the same config file as spring.profiles.active=prod (or production), so every query Hibernate runs, including bound parameter values in verbose setups, gets written to the production logs. That is more data in logs than most teams intend, and it has a real performance cost under load.
Why it matters
spring.jpa.show-sql=true writes every query Hibernate runs to the application logs. Alongside a production profile, that means production logs carry the full text of every query the app executes, which is more detail than most teams intend to keep in a shared, often longer-retained log store, and it costs real throughput under load.
How to fix it
Set spring.jpa.show-sql=false (or remove it) for the production profile and rely on a properly configured logging level for Hibernate's SQL logger where deeper visibility is occasionally needed, scoped to a short debugging window rather than left on permanently.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo