← all rules
code/spring-actuator-expose-all
Spring Boot Actuator exposes all endpoints
What it detects
`management.endpoints.web.exposure.include=*` exposes every Actuator endpoint (env, heapdump, mappings, …) over HTTP, leaking configuration and enabling abuse if unauthenticated.
How it runs
Gated on framework detection: the repo's manifests (package.json, requirements.txt, pom.xml, Gemfile, composer.json) are read to identify the stack, and the rule only runs against matching-language files when its framework is present.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.