Actuator health endpoint exposes full details
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
management.endpoint.health.show-details is set to always, so the /actuator/health response includes per-component detail (database connectivity, disk space, downstream service status) for every caller, not just authenticated ones. Set it to when-authorized, or leave it at the never default.
Why it matters
management.endpoint.health.show-details=always includes per-component detail (database connectivity, disk space, downstream service health) in the /actuator/health response for every caller, not just authenticated or internal ones. That detail helps an outside observer map your infrastructure and spot which dependency is currently failing.
How to fix it
Set show-details to when-authorized so the detail is only included for a request that is already authorized against the actuator endpoints, or leave it at the never default and rely on the simple UP/DOWN status for public health checks.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo