Usage of active debug code (pprof enabled)

• Rule ID: go_gosec_leak_pprof_endpoint
• Languages: go
• Source: pprof_endpoint.yml

Description

Enabling Go's net/http/pprof in production environments exposes runtime profiling data via a /debug/pprof endpoint, creating a security vulnerability. This tool is part of Go's standard library and, while useful for debugging, it does not have authentication controls. This can lead to sensitive information leaks about the application's runtime state and environment if left accessible in production.

Remediations

• Do not include net/http/pprof in your production code. Remove any imports of this package before deploying to ensure the profiling endpoint is not exposed.
• Do use build tags for conditional compilation, and only allow profiling in non-production builds.
• Do configure environment-specific settings to enable or disable profiling endpoints based on the deployment environment.
• Do implement strong authentication mechanisms if profiling must be enabled in a controlled production scenario to secure the endpoint.

References

• Go net/http/pprof Package Documentation
• Go Build Constraints Documentation
• OWASP Secure Product Design Cheat Sheet

Associated CWE

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_leak_pprof_endpoint

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_leak_pprof_endpoint