🦀 ClawHub
Spring Boot Actuator Analyzer
by @charlie-morrison
Analyze Spring Boot Actuator endpoints for security, health checks, metrics exposure, and production configuration — audit info, health, and custom endpoints.
TERMINAL
clawhub install spring-boot-actuator-analyzer📖 About This Skill
name: spring-boot-actuator-analyzer description: Analyze Spring Boot Actuator endpoints for security, health checks, metrics exposure, and production configuration — audit info, health, and custom endpoints. metadata: tags: ["spring-boot", "java", "actuator", "monitoring", "security"]
Spring Boot Actuator Analyzer
Analyze Spring Boot Actuator configuration for security vulnerabilities, health check completeness, metrics exposure, and production readiness. Audit actuator endpoints, management port configuration, and custom health indicators.
Usage
"Audit my Spring Boot Actuator configuration"
"Check Actuator security settings"
"Review health check endpoints"
"Are my Actuator endpoints production-safe?"
How It Works
1. Configuration Discovery
# Find application properties
find . -name "application*.yml" -o -name "application*.yaml" -o -name "application*.properties" | head -10
Check Actuator dependency
grep -r "actuator" build.gradle pom.xml 2>/dev/null
Find custom health indicators
grep -rn "implements HealthIndicator\|extends AbstractHealthIndicator" src/ | head -10
2. Endpoint Security
Critical checks:
management.endpoints.web.exposure.include)* wildcard exposes env, beans, configprops (sensitive data!)/shutdown endpoint enabled (remote shutdown risk)Recommended production config:
management:
endpoints:
web:
exposure:
include: health,info,metrics,prometheus
server:
port: 8081 # separate management port
endpoint:
health:
show-details: when-authorized
shutdown:
enabled: false
3. Health Checks
4. Metrics
5. Info Endpoint
Output
## Spring Boot Actuator AnalysisVersion: Spring Boot 3.3.0 | Actuator: 3.3.0
🔴 Critical (2)
1. All endpoints exposed — application.yml
management.endpoints.web.exposure.include: "*"
Exposes /env (secrets), /beans, /configprops, /heapdump
→ Limit to: health,info,metrics,prometheus2. Management on same port — no separate management port
Actuator endpoints accessible on public-facing port 8080
→ Set management.server.port: 8081 (internal only)
🟡 Improvements (3)
3. Health details shown to everyone (show-details: always)
→ Change to when-authorized
4. No custom health indicators for external services
5. Missing Kubernetes probe endpoints (liveness/readiness groups)✅ Good Practices
Shutdown endpoint disabled
Prometheus metrics registry configured
Git and build info in /actuator/info
Database health indicator auto-configured
💡 Examples
"Audit my Spring Boot Actuator configuration"
"Check Actuator security settings"
"Review health check endpoints"
"Are my Actuator endpoints production-safe?"